//V-^ZO 



on Nuclear Propulsion Safety for the Space 
Exploration Initiative _ 


Albert C Marshall, James H. Lee, and William H. McCulloch 
Sandia National Laboratory 

Albuquerque, New Mexico _____ 

J, Charles Sawyer, Jr. 

NASA Headquarters 

Washington, D.C. ^ 


Robert A. Bari 

Brookhaven National Laboratory 
Upton, New York 

Hatice S. Cullingford and Alva C. Hardy 
NASA Johnson Space Center 
Houston, Texas 

George F. Niederauer 

Los Alamos National Laboratory 

Los Alamos, New Mexico 

Kerry Renip 

Lewis Research Center . _ _ 

Cleveland, Ohio 

John W. Rice 

Idaho National Engineering Laboratory 
Idaho Falls, Idaho 

Joseph A. Sholtis 
Kirtiand Air Force Base 
Kirtland AFB, New Mexico 


and 


Neil W. Brown _ _ 
General Electric 
San Jose, California 


April 1993 

NASA 


( NAS A-TM-105705) NUCLEAR SAFETY 
POLICY WORKING GROUP 
RECOMMENDATIONS ON NUCLEAR 
PROPULSION SAFETY FOR THE SPACE 
EXPLORATION INITIATIVE (NASA) 

63 p 


N93-26200 


Unci as 


<S3 

M/20 0159288 



Nuclear Safety Policy Working Group 
Recommendations on Nuclear Propulsion Safety 

for the 

Space Exploration Initiative 


September 27, 1991 


Albert C. Marshall 

Chairman 

Sandia National Laboratories 

J. Charles Sawyer, Jr. 

Vice Chairman 

NASA Headquarters 

Members: 

Robert A. Bari 
Hatice S. Cullingford 


Brookhaven National 
Laboratory 

Johnson Space Center* 

Alva C. Hardy 


Johnson Space Center 

James H. Lee 


Sandia National Laboratories 

William H. McCulloch 


Sandia National Laboratories 

George F. Niederauer 


Los Alamos National 
Laboratory 

Kerry Remp 


Lewis Research Center 

John W. Rice 
Joseph A. Sholtis 


Idaho National Engineering 
Laboratory 

United States Air Force 

Neil W. Brown 

Advisor 

General Electric 


* Representing the Lunar and Mars Exploration Program Office 

This report represents a consensus opinion of the Nuclear Safety Policy Working 
Group and does not necessarily represent the official views of NASA, DOD, or 
DOE. No inferences should be drawn from this report regarding official 
funding commitments or policy decisions. 



NSPWG Report 


Abstract 

An interagency Nuclear Safety Policy Working Group (NSPWG) was 
chartered to recommend nuclear safety policy, requirements, and guidelines for 
the Space Exploration Initiative (SEI) nuclear propulsion program. These 
recommendations, which are contained in this report, should facilitate the 
implementation of mission planning and conceptual design studies. The NSPWG 
has recommended a top-level policy to provide the guiding principles for the 
development and implementation of the SEI nuclear propulsion safety program. 
In addition, the NSPWG has reviewed safety issues for nuclear propulsion and 
recommended top-level safety requirements and guidelines to address these 
issues. These recommendations should be useful for the development of the 
program’s top-level requirements for safety functions (referred to as Safety 
Functional Requirements). The safety requirements and guidelines address the 
following topics: reactor start-up, inadvertent criticality, radiological release and 
exposure, disposal, entry, safeguards, risk/reliability, operational safety, ground 
testing, and other considerations. 


i/ii 



NSPWG Report 


Contents 

Abstract i 

List of Figures v/vi 

List of Acronyms vii 

Executive Summary ix 

E.l Recommended Safety Policy ix 

E.2 Requirements and Guidelines Recommended for Flight Safety x 

E.2.1 Recommended Safety Requirements x 

E.2. 1.1 Reactor Start-Up x 

E.2. 1.2 Inadvertent Criticality xi 

E.2. 1.3 Radiological Release and Exposure xi 

E.2. 1.4 Disposal , xii 

E.2. 1.5 Entry ...... . xii 

E.2.1. 6 Safeguards xii 

E.2.2 Recommended Safety Guidelines xii 

E.2.2.1 Risk/Reliability xii 

E.2.2.2 Operational Safety xiii 

E.2.2.3 Flight Trajectory and Mission Abort xiii 

E.2.2.4 Space Debris and Meteoroids xiii 

E.3 Ground Test Safety Recommendations xiii 

E.3.1 Ground Test Needs for Flight Safety Validation xiii 

E.3.2 Ground Facility and Equipment Safety xiv 

E.4 Suggested Future Activities xv/xvi 

1. Introduction 1-1 

1.1 Background 1-1 

1.2 Scope 1-3 

1.3 Approach 1-5 

1.4 Report Organization 1-7 

2. Recommended Safety Policy 2-1 

2.1 Statement 2-1 

2.2 Discussion 2-1 

3. Recommended Safety Requirements for Flight Systems 3-1 

3.1 Intended Use of Recommended Requirements 3-1 

3.2 Recommended Requirements 3-1 

3.2.1 Reactor Start-Up 3-2 

3.2.2 Inadvertent Criticality 3-2 

3.2.3 Radiological Release and Exposure 3-3 

3.2.4 Disposal 3-5 

3.2.5 Entry 3-6 

3.2.6 Safeguards 3-7 


iii 


NSPWG Report 


4. Recommended Guidelines for Flight Systems 4-1 

4.1 Intended Use of Guidelines 4-1 

4.2 Recommended Guidelines 4-1 

4.2.1 Risk/Reliability 4-1 

4.2. 1.1 Reliability Program..... . 4-1 

4.2. 1.2 Risk Analysis 4-2 

4.2.2 Operational Safety 4-4 

4.2.2. 1 Integrating Safety Considerations 4-6 

4.2.2.2 Criticality and Control Calibration 4-6 

4.2.2.3 Role of Flight Crew in Nuclear Operations 4-6 

4. 2. 2. 4 Instrumentation Requirements and Operational 

Strategies 4-6 

4.2.2.5 Development of the Operational Duty Cycle 4-6 

4.2.2.6 Extra Vehicular Activity 4-7 

4.2.2.7 Proximity Operations 4-7 

4.2.2.8 Testing and Surveillance 4-7 

4.2.3 Flight Trajectory and Mission Abort 4-7 

4.2.4 Space Debris and Meteoroids 4-8 

5. Recommended Guidelines for Ground Activities 5-1 

5.1 Ground Test Needs for Safety Validation iiiMivniiftrriTTiTvviriiiiiiiiiiiivtvi** 5* 1 

5. 1.1 Background 5— 1 

5.1.2 Recommendations 5-1 

5.2 Ground Facility and Equipment Safety 5-2 

5.2.1 Background 5-2 

5.2.2 Ground Test Facility Recommendation 5-4 

5.2.3 Transportation Equipment 5-6 

5.2.4 Launch Facility 5-7 

6. Suggested Future Activities 6-1 

6.1 Safety, Quality, and Reliability Program Plans 6-1 

6.2 Public Participation 6-2 

Glossary of Terms G-l 

References R - 1 

Appendix A. Charter A-l 

Appendix B. Panel Background B - 1 


iv 



NSPWG Report 


List of Figures 

1-1. Development of Safety Policy and Requirements 1-4 

1-2. NSPWG Activity Schedule .. 1-6 

4-1. Proposed Role of Risk and Safety Analysis in SEI (Simplified) 4-3 

4-2. Recommended Application of Reliability and Risk Analysis in SEI 

Nuclear Propulsion Program 4-5 

A-l. Letter from Earl J. Wahlquist, Acting Associate Deputy Assistant 

Secretary for Space and Defense Power Systems A-2 


v/vi 



NSPWG Report 


List of Acronyms 

AEC — Atomic Energy Commission 
AFISC — Air Force Inspection and Safety Center 
ALARA — as low as reasonably achievable 
ANP — Aircraft Nuclear Propulsion 

ANS — American Nuclear Society or American National Standard 

ASME — American Society of Mechanical Engineers 

BPV Code — Boiler and Pressure Vessel Code 

BNL — Brookhaven National Laboratory 

CFR — Code of Federal Regulations 

DOD — Department of Defense 

DOE — Department of Energy 

DOT — Department of Transportation 

EIS — Environmental Impact Statement 

EPA — Environmental Protection Agency 

ERDA — Energy Research and Development Administration 

EVA — extra-vehicular activity 

FEMA — Failure Mode and Effects Analysis 

FSAR — final safety analysis report 

FT A — fault tree analysis 

FY — fiscal year 

GCR — galactic cosmic radiation 
GE — General Electric Company 
HQ — Headquarters 

IAEA — International Atomic Energy Agency 

IEEE — Institute of Electrical and Electronics Engineers, Inc. 

INEL — Idaho National Engineering Laboratory 

INSRP — Interagency Nuclear Safety Review Panel 

JSC — Johnson Space Center 

LANL — Los Alamos National Laboratory 

LeRC — Lewis Research Center 

LMEPO — Lunar Mars Exploration Program Office 

MRA — mission risk assessment 

NASA — National Aeronautics and Space Administration 

NCRP — National Commission on Radiological Protection and Measurements 

NEP — nuclear electric propulsion 

NERVA — Nuclear Engine for Rocket Vehicle Application 

NPS — nuclear power/propulsion system 

NRC — Nuclear Regulatory Commission 

NSPWG — Nuclear Safety Policy Working Group 

NTP — nuclear thermal propulsion 

OECD — Organization for Economic Cooperation and Development 

OSHA — Occupational Safety and Health Administration 

PRA — probabilistic risk assessment 

PSAR — preliminary safety analysis report 

RLA — request for launch approval 


vii 


NSPWG Report 


RTG — radioisotope thermoelectric generator 

SAR — safety analysis report 

SDIO — Strategic Defense Initiative Organization 

SEI — Space Exploration Initiative 

SER — safety evaluation report 

SIP — safety implementation plan 

SNAP — System(s) for Nuclear Auxiliary Power 

SNAP-10A — A 500-W(e) space reactor power system developed under the 
SNAP program and flight tested in 1965. 

SNL — Sandia National Laboratories 

SNM — special nuclear material 

SST — Safe Secure Trailer 

US — United States 

USAF — United States Air Force 

USAR — updated safety analysis report 


viii 



NSPWG Report 


Executive Summary 

Nuclear propulsion has been identified as an essential technology for the 
successful implementation of the Space Exploration Initiative (SEI). Interagency 
(NASA, DOE, and DOD) workshops were held in the summer of 1990 to 
explore the options, issues, and requirements for the development of nuclear 
propulsion systems in support of SEI. The workshop participants recognized the 
vital importance of safety to a nuclear propulsion program and recommended 
the formation of an interagency working group to formulate a sound safety 
policy for SEI nuclear propulsion. Such a group, named the Nuclear Safety 
Policy Working Group (NSWPG), was chartered in the fall of 1990 to develop 
and recommend a top-level nuclear safety policy. This working group was also 
asked to develop recommendations for a number of specific nuclear propulsion 
safety topics. The recommendations of the working group are presented in this 
document. The NSPWG recommendations apply only to the present scope of 
planned SEI nuclear propulsion activities. Consistent and thorough application 
of these recommendations should provide reasonable assurance that launch 
approval can be obtained. 

E.l Recommended Safety Policy 

The safety policy recommended by the NSPWG establishes the importance 
and priority that must be placed on safety and establishes the broad framework 
and overall guiding principles for the development and implementation of an 
effective nuclear propulsion safety program. The recommended policy 
statement is provided below and is discussed in Subsection 2.2. 


Ensuring safety is a paramount objective of the Space Exploration 
Initiative nuclear propulsion program; all program activities shall be 
conducted in a manner to achieve this objective. The fundamental 
program safety philosophy shall be to reduce risk to levels as low as 
reasonably achievable. In conjunction with this philosophy, stringent 
design and operational safety requirements shall be established and 
met for all program activities to ensure the protection of individuals 
and the environment. These requirements shall be based on applicable 
regulations, standards, and research. 

A comprehensive safety program shall be established. It shall 
include continual monitoring and evaluation of safety performance and 
shall provide for independent safety oversight. Clear lines of 
authority, responsibility, and communication shall be established and 
maintained. Furthermore, program management shall foster a safety 
consciousness among all program participants and throughout all 
aspects of the nuclear propulsion program. 


ix 



NSPWG Report 


E.2 Requirements and Guidelines Recommended for Flight Safety 

In addition to this safety policy, the NSPWG has recommended top-level 
flight safety requirements and guidelines. These recommended requirements 
and guidelines should be used by SEI program safety management to develop 
the program’s top-level requirements for safety functions, referred to as Safety 
Functional Requirements. The recommended requirements and guidelines 
should be useful for the purpose of conceptual design and program planning. 
In comparison with the safety requirements, the safety guidelines are more in 
the nature of suggestions or specific programmatic guidance; they are more 
tentative than the safety requirements. These guidelines may be used to help 
formulate Safety Functional Requirements as more information becomes 
available. 


E.2.1 Recommended Safety Requirements 

Recommended safety requirements were developed for reactor start-up, 
inadvertent criticality, radiological release and exposure, disposal, entry, and 
safeguards. Both quantitative and qualitative requirements were recommended. 
Quantitative requirements for radiological exposures were recommended only 
when applicable established guidance could be cited. (Qualitative terms are 
defined in the report’s glossary and are discussed in the text.) More specific 
and quantitative design requirements must be developed as the program matures 
and specific concepts are selected. 

The policy philosophy of reducing risk to as low as reasonably achievable 
couples the development and revision of all safety requirements to the effect on 
risk. This approach allows the development of stringent requirements that are 
reasonable in the context of their application. A different set of stringent 
requirements will be needed for other space nuclear programs. 

The recommendations for SEI nuclear propulsion flight safety requirements 
are provided in the following list. These flight safety requirements are 
discussed in Section 3. Guidance for ground test safety is given in Subsection 
E.3 and Section 5. 

E.2. 1.1 Reactor Start-Up. 

• The reactor shall not be operated prior to space deployment , 
except for low-power testing on the ground, for which negligible 
radioactivity is produced. 

• The reactor shall be designed to remain shut down prior to the 
system achieving its planned orbit. 

A "planned orbit" is an Earth orbit condition, prior to insertion into an 
interplanetary or Earth-Lunar trajectory, that has been predetermined to be safe 
for reactor start-up operations. 



NSPWG Report 


£.2.1.2 Inadvertent Criticality. 

• Inadvertent criticality shall be precluded for both normal and 
credible accident conditions. 

E.2.1.3 Radiological Release and Exposure. The following requirements 
apply only to radiological releases and exposures from reactor systems operating 
in space. Potential radiological releases on Earth are implicitly addressed under 
reactor start-up, inadvertent criticality, disposal, and entry. 29 CFR 1910.96 
(U.S. OSHA, 1989), cited below, is equivalent to 10 CFR 20 (U.S. NRC, 1991a) 
for radiation workers and includes a 5 rem/year whole body dose limit to 
astronauts from on-board radiation sources. 


I. Routine Operations and Expected Occurrences 

• Use 29 CFR 1910.96 dose limits for on-board radiological 

sources. 

• Radiological releases from the spacecraft shall not impair its use. 

• Radiological release from the spacecraft shall not contribute 
significantly, over an extended period of time, to any local space 

environment. 

• Radiological release from the spacecraft shall have an 
insignificant effect on Earth. 

II. Accidents 

• The probability of accidents involving radiological release 
affecting the immediate or long-term health of the crew shall be 
extremely low. 

• For those accidents involving radiological release for which the 
crew is expected to survive, the radiological release shall not 
render the spacecraft unusable. 

• The probability of a significant radiological effect from an 
accident on any local space environment over an extended period 
of time shall be extremely low. 

• The consequence on Earth of a radiological release from an 
accident in space shall be insignificant. 

The term "insignificant" as used here for the effect on Earth of a 
radiological release in space means "much less than the value specified for 
terrestrial guidelines." An "extremely low probability event" is one that is not 
expected to ever occur during the execution of the SEI program. "Significant" 
means "greater than the most appropriate guideline or norm." An "extended 
period of time" is understood to mean "encompassing the time period of 
potential future space enterprises in the region of space under consideration." 


xi 



NSPWG Report 


E.2.1.4 Disposal. (See entry also.) 

• Safe disposal of spent nuclear systems shall be explicitly 
included in Space Exploration Initiative mission planning. 

• Adequate and reliable cooling , control, and protection for the 
reactor system shall be provided for all normal and credible 
accident conditions to prevent reactor system disruption or 
degradation that could preclude safe disposal. 

E.2.1.5 Entry. Entry refers to an event in which a reactor system enters 
the atmosphere or impacts the surface of Earth or another celestial body. 

• Planned Earth entry shall be precluded from mission profiles. 

• Both the probability and the consequences of an inadvertent entry 
shall be made as low as reasonably achievable. 

• For inadvertent entry through an atmosphere, the reactor shall be 
essentially intact, or, alternatively, shall result in essentially full 
dispersal of radioactivity at high altitude. 

• For an impact, radioactivity shall be confined to a local area to 
limit radiological consequences. 

• The reactor shall remain subcritical throughout an inadvertent 
entry and impact. 

E.2.1.6 Safeguards. 

• Positive measures shall be provided to control and protect the 
nuclear system and its special nuclear materials (SNM) from 
theft, diversion, loss, or sabotage. 

• To the extent practicable, the design of the nuclear system shall 
incorporate features that enhance safeguards and permit proven 
safeguards methods to be employed. 

• Positive measures or features shall be provided to facilitate timely 
identification of the status as well as the location and, if 
necessary, recovery of the nuclear system or its SNM. 

E.2.2 Recommended Safety Guidelines 

Safety guidelines are recommended for risk/reliability, operational safety, 
flight trajectory and mission abort, as well as space debris and meteoroid safety 
considerations. These guidelines are presented in Section 4 and are briefly 
discussed below. 

E.2.2.1 Risk/Reliability. The design and development activities directed 
toward assuring high reliability in system features and functions should receive 


xii 



NSPWG Report 


major emphasis in any nuclear program. The reliability of the safety functions, 
in particular, is critically important to reducing risk. Demonstration of the 
achievement of the high-reliability and low-risk goals for SEI nuclear 
propulsion systems must be accomplished through analysis supported by feature, 
component, and subsystem testing. The analyses can be both quantitative and 
qualitative as well as deterministic and statistical. An extensive set of data must 
be evaluated and integrated to produce acceptable results. These efforts must 
also be inherently imbedded in the design and development engineering 
activities. Careful management attention to the planning and conduct of 
activities contributing to the achievement of the low-risk and high-reliability 
goals is required. 

E.2.2.2 Operational Safety. Operational safety is focused on activities 
associated with operation of the space nuclear propulsion system that are 
important to safety. It includes all phases of a mission, from pre-launch 
checkout through disposal of the spent nuclear system. Unique operational 
aspects important to design and development of a nuclear propulsion system 
have been identified and discussed in Section 4 with the objective of providing 
guidance for the SEI nuclear propulsion mission planning, design, and 
development efforts. Issues important to safety of both piloted and unpiloted 
missions are addressed. Issues unique to piloted missions have important 
implications for crew safety and can affect propulsion system requirements. 
Subsection 4.2.2 describes eight candidate operational issues. 

E.2.2.3 Flight Trajectory and Mission Abort. In addition to the 
considerations for chemical thrust mission trajectory planning, the designers of 
SEI missions using nuclear propulsion must address the nuclear safety issues 
during the process of trajectory design, analysis, and selection. Specific abort 
principles should be developed with systematic risk analysis and should include 
provisions for addressing the recommended safety requirements. 

E.2.2.4 Space Debris and Meteoroids. Meteoroids and space debris are a 
part of the space environment and need to be considered in development of 
safety and reliability requirements. Nuclear propulsion system designers must 
also address the need to minimize the potential for adding debris to the orbital 
environment surrounding Earth. 

E.3 Ground Test Safety Recommendations 

The NSPWG also recommended the general type of safety validation testing 
that could be required for nuclear propulsion systems and provided guidelines 
for ground facility and equipment safety. 

E.3.1 Ground Test Needs for Flight Safety Validation 

Control of hazards associated with space nuclear propulsion systems will 
require safety test information to validate analysis and to support demonstration 
of compliance with safety requirements. Early guidance on safety validation 
testing requirements is needed to permit identification of the scope of test 
facility needs. 


xiii 



NSPWG Report 


The ground test element of the safety program should focus on data 
required to assure safety objectives for flight systems will be achieved. These 
data are necessary to obtain flight approval. Some of the data identified will 
also be useful to other major tasks, such as ground testing of propulsion 
reactors. 

The flight safety tasks have been logically separated into four groupings: 
launch and deployment safety, operational safety, disposal safety, and 
inadvertent entry safety. Potential safety testing that should be considered 
during facility planning has been delineated Subsection 5.1.2. 

E.3.2 Ground Facility and Equipment Safety 

The testing of space nuclear propulsion reactors will be conducted on 
government sites in accordance with DOE orders. The DOE orders provide 
requirements and guidance that are consistent with the recommended policy 
statement. The DOE orders will require some interpretation in applying them 
to specific testing. Interpretation of specific details should be done as part of 
the design development and independent safety review process. 

Requirements for the control of radioactive material during normal, off- 
normal, and credible accident conditions have been developed for many types of 
ground test reactors. These generally can be applied to the testing of nuclear 
thermal propulsion (NTP) and nuclear electric propulsion (NEP) reactors. 
However, the necessity to exhaust the reactor coolant in the NTP presents a 
unique area of requirements that have only been considered during the Nuclear 
Engine for Rocket Vehicle Application (NERVA) program and the Aircraft 
Nuclear Propulsion (ANP) program. 

The issue of beyond-design-basis accidents also requires special attention 
and may have a strong influence on the approach selected for containment or 
confinement. The inherent capabilities of the nuclear thermal propulsion fuel 
to retain fission products may also influence the selection of technology 
development activities and safety features. Safety design activities must 
evaluate the value of risk-reducing design approaches and the practicality of 
implementing the approaches. Ground facility testing is discussed further in 
Subsection 5.2.2. 

Transportation safety and launch facility safety must also be addressed. A 
certified shipping container which meets DOT and DOE/NRC regulations must 
be used for the transport of fissile material (e.g., fuel, fuel rods, or a complete 
reactor assembly) between the ground test facility and the launch site. Safety 
procedures must be established and facility provisions must be available at the 
launch site to ensure that activities associated with the nuclear system will not 
pose a safety hazard. These considerations are discussed Subsections 5.2.3 and 
5.2.4. 


XIV 



NSPWG Report 


E.4 Suggested F uture Activities 

Suggested future activities for the program office to consider include the 
development of a safety, quality, and reliability plan (Subsection 6.1) and the 
development of a plan for public participation in the SEI nuclear propulsion 
program. The importance of a plan for public communication and participation 
and plan objectives are discussed in Subsection 6.2. 


xv/xvi 




NSPWG Report 


1. Introduction 

1.1 Background 

President Bush, in his speech on July 20, 1989, announced his plan to 
initiate the most ambitious exploration endeavor in history. This new program, 
the Space Exploration Initiative (SEI), would include a return to the moon and a 
manned mission to Mars by the year 2019. Nuclear propulsion has been 
identified as a key enabling technology to meet the objectives of the SEI 
program (Stafford, 1991). 

Nuclear thermal propulsion and nuclear electric propulsion are the two 
basic types of nuclear propulsion systems that could support the SEI program 
within the 2019 time frame: 

• Nuclear thermal propulsion (NTP) systems produce thrust by heating a 
propellant (usually hydrogen) passing through a nuclear reactor and 
expanding the hot gases through a nozzle. The very high temperature 
capability provided by a reactor and the use of a low molecular weight 
propellant provides a high specific impulse and high levels of thrust for a 
relatively low propellant and system mass. At these high thrust levels 
relatively brief reactor operational times (hours) are required for a voyage 
to Mars and back. A variety of solid, liquid, and gaseous core reactor 
concepts have been proposed for NTP systems. NTP solid core concepts 
have been proposed as the baseline technology for propulsion from Earth 
orbit to Mars orbit and back (Stafford, 1991). 

• Nuclear electric propulsion (NEP) concepts use reactor thermal power with 
a power conversion system to produce electrical power. The electrical 
power is then used to accelerate an ionized propellant through an electric 
thruster. NEP systems produce a very high specific impulse and very low 
thrust. NEP concepts require very little propellant and could entail 
relatively low propulsion system mass. A variety of reactors, power 
conversion devices, and electric thrusters have been proposed for NEP 
systems. NEP systems have been proposed as a follow-on propulsion 
technology for Mars cargo missions (Stafford, 1991) and is also under 
consideration for piloted missions. 

Nuclear propulsion is not a new concept. In fact, from the late 1950s 
through the early 1970s, space nuclear propulsion systems were aggressively 
pursued by the United States. The Nuclear Engine for Rocket Vehicle 
Application (NERVA) was developed as part of the ROVER nuclear thermal 
rocket program. Twenty propulsion reactors were designed, built and tested. 
Although the NERVA program established a viable capability, the program was 
terminated in 1973 due to changing national priorities. Nuclear electric 
propulsion systems were also designed and a variety of propulsion elements were 
tested, including arc jet and ion engines. The US flight-tested the SNAP-10A 


l-i 



NSPWG Report 


reactor power system in 1965. Electricity produced by the reactor power system 
was used to power an ion engine as part of an experimental package. 

In the summer of 1990, the National Aeronautics and Space Administration 
(NASA) held joint agency (NASA, DOE, and DOD) workshops to explore 
options, issues, and requirements to initiate a new nuclear propulsion program. 
A joint agency steering committee was formed during the workshops to guide 
the workshop activities. The workshop participants recognized the vital 
importance of safety to the successful application of nuclear propulsion for the 
Space Exploration Initiative. They also recognized the necessity of establishing 
nuclear safety policy during the conceptual stage to integrate safety into the 
program from its inception. As a consequence, one of the recommendations 
from the workshop was the formation of a joint agency working group to 
develop nuclear safety policy for space nuclear propulsion in support of the SEI 
program. The steering committee chartered the Nuclear Safety Policy Working 
Group (NSPWG) to develop and recommend a top level nuclear safety policy 
and to recommend safety requirements and guidelines for a number of specific 
nuclear propulsion safety topics. The NSPWG charter is provided in Appendix 
A. Five other working groups that interface with the NSPWG were also 
chartered. These other working groups address missions, nuclear thermal 
propulsion technology, nuclear electric propulsion technology, fuels/materials, 
and facilities. 

The NSPWG includes representatives from all three participating agencies. 
One industry representative was also appointed as an advisor. The NSPWG 
members and their affiliations are listed below: 


NSPWG Member 

ReDresentine 

From 

Albert C. Marshall - Chairman 

DOE 

SNL 

J. Charles Sawyer, Jr. - Vice Chair. 

NASA 

HQ 

Robert A. Bari 

DOE 

BNL 

Hatice S. Cullingford 

NASA 

JSC* 

Alva C. Hardy 

NASA 

JSC 

James H. Lee 

SDIO/DOD 

SNL 

William H. McCulloch 

DOE 

SNL 

George F. Niederauer 

DOE 

LANL 

Kerry Remp 

NASA 

LeRC 

John W. Rice 

DOE 

INEL 

Joseph A. Sholtis 

DOD 

USAF 

Neil W. Brown - Advisor 

Industry 

GE 


* Representing the Lunar and Mars Exploration Program Office 


Brief biographical sketches are provided for each member of the NSPWG in 
Appendix B. 


1-2 



NSPWG Report 


1,2 Scope 

Figure 1 - 1 illustrates the hierarchical structure for the development of SEI 
nuclear propulsion safety policy and requirements as visualized by the NSPWG. 
At the top of the hierarchy are the existing agency (DOE, NASA, DOD, EPA, 
etc.) policies and mandatory requirements. At the next level is a Joint Agency 
Space Nuclear Propulsion Safety Policy. The safety policy establishes the 
importance and priority placed on safety and provides the overall guiding 
principles for the development and implementation of an effective nuclear 
propulsion safety program. The Safety Functional Requirements delineate the 
specific safety functions required of the system or program (e.g., preclude 
inadvertent criticality). Top-level agency policies, mandatory requirements, the 
joint agency Space Nuclear Propulsion Safety Policy and Safety Functional 
Requirements are the responsibility of the cognizant agencies. The contractors’ 
responsibility begins at the level of system-specific design specifications. 
Design specifications guide system design and research. 

The scope of the NSPWG activities is illustrated on the left side of Figure 
1-1. The NSPWG-recommended safety policy should be used to formulate the 
joint agency Space Nuclear Propulsion Safety Policy for SEI. The NSPWG also 
has recommended safety requirements and guidelines for important safety issues 
and considerations. These recommended requirements and guidelines should be 
used by SEI management and program safety management to develop the 
program Safety Functional Requirements. Safety requirements and guidelines 
should be useful for the purpose of conceptual design and program planning. 
In comparison with the safety requirements, the safety guidelines are more in 
the nature of suggestions or specific programmatic guidance; they are more 
tentative than the safety requirements. These guidelines may be used to help 
formulate Safety Functional Requirements as more information becomes 
available. 

In the course of its deliberations, the NSPWG made several assumptions 
pertaining to the scope of its work. Although the working group’s efforts and 
the development of the policy included the consideration of non-nuclear safety 
issues, the development of requirements and guidelines focused on nuclear 
safety issues. Public involvement, the development of an overall safety program 
plan, and recommendations for a safety review process were identified as 
activities that should follow the establishment of the safety policy and are 
described in Section 6 as suggested future activities. Based on the proposed SEI 
mission architectures (e.g., Stafford, 1991), the NSPWG assumed that SEI would 
use nuclear propulsion beginning from orbits about Earth and other celestial 
bodies, on trajectories between celestial bodies and into deep space, and to and 
from the surfaces of any celestial body except Earth. All mission phases were 
included in the scope of the NSPWG activities. (The mission phases are divided 
into the prelaunch, launch and deployment, operational, and disposal phases.) 


1-3 


NSPWG Report 


NSPWG SEI NUCLEAR PROPULSION 

ACTIVITIES SAFETY REQUIREMENTS HIERARCHY 



Figure 1-1. Development of Safety Policy and Requirements 


1-4 














NSPWG Report 


1.3 Approach 

The development of the NSPWG recommendations took place during a 
series of ten meetings between November 1990 and September 1991. Three 
meetings were held in Albuquerque, New Mexico, two in Washington, D.C., one 
in Houston, Texas; the remaining meetings were conducted by teleconference. 
To allow for input from the community, NSPWG meeting minutes were mailed 
to a wide distribution. Participation by observers and guest speakers at 
meetings was permitted by special request. In addition, two open sessions were 
held in Washington, D.C. for all interested parties. Presentations of the NSPWG 
interim findings were also given at a Steering Committee meeting in Cleveland, 
Ohio in April 1991, at the 1991 annual meeting of the American Nuclear 
Society in Orlando, Florida in June 1991, and at an American Institute of 
Aeronautics and Astronautics conference in Cleveland, Ohio, in September 1991 
(Marshall and Sawyer, 1991). 

The schedule of NSPWG activities is provided by Figure 1-2. The NSPWG 
first established its scope, objectives, approach, and schedule and defined its 
terminology. Existing national and international safety requirements were 
reviewed (e.g., U.S. DOE, 1984). In addition, pertinent previously developed 
safety policies were also reviewed (e.g., Wahlquist, 1990). A top-level safety 
policy was formulated and distributed to the individuals on the minutes 
distribution list for comments. Comments received were then used to make 
appropriate modifications to provide the recommended safety policy presented 
in this document. 

Members were assigned principal responsibility for one or more of the 
safety issues identified in the charter or other safety issues identified by the 
NSPWG. The responsible NSPWG member for each safety topic presented a 
discussion of the topic to the group using a standard format. The format 
included the following subjects: 

• Scope 

• Issues 

• Discussion 

information available 
considerations, impact and implications 
justification of requirements and guidelines 
additional work needed, and safety testing 
NTP versus NEP considerations 
manned versus unmanned considerations 
reusability considerations. 

Discussions on each topic continued until consensus was reached on draft 
recommendations. 


1-5 



NSPWG Report 


NSPWG SCHEDULE OF ACTIVITIES 



FY91 



OCT NOV DEC 

JAN FEB MAR 

APR MAY JUN 

JUL AUG SEP 


Develop Objective — Q 

Scope and Approach 

Review Mandatory — 

Requirements 


Review Existing 
Safety Policies 


* O 


Recommend Safety 
Policy and Discussion 


* 


o 


Recommend Guidance 
For Facility Safety and 
Radiological Release 

Recommend Guidance 
For Remaining 
Safety Considerations 

Document 


*r-0 


* — o 


* 


X = Preliminary 
0= Pinal 


Figure 1-2. NSPWG Activity Schedule 


1-6 



NSPWG Report 


1.4 Report Organization 

The remainder of this report is organized as follows: 

• The recommended safety policy for the SEI nuclear propulsion program is 
presented in Section 2. Subsection 2.1 provides the text of the 
recommended safety policy. The policy is intended to be a clear and 
concise statement to enhance the visibility, importance, and comprehension 
of the guiding safety philosophy. An elaboration, interpretation, and 
discussion of the safety policy is provided in Subsection 2.2. 

• Recommended flight safety requirements are presented in Section 3. 
Subsection 3.1 provides guidance for the use of the requirements. Concise 
statements of the recommended requirements and a discussion of the 
requirements are given in Subsection 3.2. 

• Section 4 presents recommended safety guidelines for flight systems. 

■ Recommended guidelines for ground testing are provided in Section 5. 
Candidate safety validation tests are briefly discussed in Subsection 5.1 for 
the purpose of facility planning. Safety considerations for ground test 
facilities, ground transportation of nuclear systems, and nuclear safety at 
the launch site are discussed in Subsection 5.2. 

• A preliminary discussion of suggested future safety activities is presented 
in Section 6. 

• Appendixes A and B provide the NSPWG charter and the background of 
the working group members. 


1-7 




NSPWG Report 


2. Recommended Safety Policy 

2.1 Statement 

The following is the NSPWG-recommended policy statement. 


Recommended Space Exploration Initiative 
Nuclear Propulsion Safety Policy 

Ensuring safety is a paramount objective of the Space Exploration 
Initiative nuclear propulsion program ; all program activities shall be 
conducted in a manner to achieve this objective. The fundamental 
program safety philosophy shall be to reduce risk to levels as low as 
reasonably achievable. In conjunction with this philosophy, stringent 
design and operational safety requirements shall be established and 
met for all program activities to ensure the protection of individuals 
and the environment. These requirements shall be based on applicable 
regulations, standards, and research. 

A comprehensive safety program shall be established. It shall 
include continual monitoring and evaluation of safety performance and 
shall provide for independent safety oversight. Clear lines of 
authority, responsibility, and communication shall be established and 
maintained. Furthermore, program management shall foster a safety 
consciousness among all program participants and throughout all 
aspects of the nuclear propulsion program. 


2.2 Discussion 

The following expansion of the safety policy statement discusses the 
implications of each of the principles embodied in the safety policy. 

The Space Exploration Initiative nuclear propulsion program will develop 
propulsion systems to support human and robotic exploration of the solar 
system. Ensuring safety during the execution of the nuclear propulsion program 
is a paramount objective; all program activities shall be conducted in a manner 
to achieve this objective. This policy reflects the commitment at the highest 
levels of program management to safety. 

Safety is defined here as a condition judged to be of sufficiently low risk. 
In the context of this policy, safety is meant to include the health and safety of 
the public, program personnel, and mission crew as well as the protection of 
terrestrial and non-terrestrial environments. Safety also includes safeguarding 
nuclear systems and special nuclear materials against unauthorized use or 
diversion and protecting facilities and equipment from damage or loss. Safety 


2-1 


NSPWG Report 


must be a primary consideration in all phases of the nuclear propulsion 
program, including design, development, fabrication, transportation, ground 
testing, system integration and prelaunch activities, launch, deployment, flight 
testing, operation, and disposal. Safety should be integrated into the design 
from conception and must be a key consideration in all design, operational, and 
programmatic decisions. 

To ensure the protection of individuals and the environment, the 
fundamental program safety philosophy shall be to reduce risk to as low as 
reasonably achievable. Economic and social factors and technology maturity 
must be taken into account to guide the judgment of what is reasonably 
achievable. This philosophy couples the development and revision of all safety 
requirements to their effect on risk. Risk is a measure of potential harm or 
damage, incorporating both the probabilities of undesirable consequences and 
the magnitude of the consequences, such as number of exposed individuals, 
number of injuries and fatalities, and the level of environmental contamination. 
Reduction of risk implies a reduction in both the probability and consequences 
of potential adverse events. 

The development of stringent design and operational safety requirements is 
essential to implement the fundamental safety philosophy of reducing risk to as 
low as reasonably achievable. Safety requirements must also accommodate 
aversion to severe accidents of extremely low probability. These safety 
requirements must be established and met for all program activities and must be 
based on applicable regulations and standards and incorporate relevant 
developments from research activities. These requirements ensure compliance 
with all applicable national and international regulations. 

For any space mission involving significant quantities of radioactive or 
fissile material, launch approval must be given by the Executive Office of the 
President of the United States, based on comparison of the projected benefits 
and the risks for the mission. The decision is based on an established and 
proven review process that includes an independent assessment of mission safety 
by an Interagency Nuclear Safety Review Panel (INSRP). The commitment of 
the nuclear propulsion program to keep risks as low as reasonably achievable 
helps ensure a judgment that the benefits of potential missions will outweigh 
the risk. 

A comprehensive safety program shall be established to cover all program 
phases. It shall be directed toward making a thorough search for hazards, 
establishing requirements for eliminating and controlling hazards, executing 
experimental and analytical evaluations of the associated risks, and providing 
reasonable assurance that all safety issues have been identified and adequately 
treated. The program shall include continual monitoring and evaluation of all 
activities important to safety and shall, in addition to the final INSRP 
assessment and review described above, provide for periodic, competent, and 
independent safety oversight. The safety program should include a clear 
delineation of the safety assurance function and should be coordinated with the 
quality assurance and reliability functions. 

Effective safety administration is an essential element of the nuclear 
propulsion safety program and must be guided at the policy level to ensure 


2-2 



NSPWG Report 


adequate safety implementation. Clear lines of authority and communication 
for safety shall be established and maintained. Lines of authority for safety 
must be instituted to ensure safety responsibility and accountability. Effective 
communication is essential to implement the safety program. As part of the 
communication process, it is important to foster open communication with 
program participants and the public regarding both the benefits and risks 
associated with the SEI nuclear propulsion program. The specific emphasis 
placed by the program on safety and the progress toward the safety objectives 
should also be communicated. The predicted system responses and the expected 
and potential environments for systems interfacing with the nuclear propulsion 
system must be communicated among all system developers to ensure 
appropriate mission level safety evaluations. The specific definition of an 
organizational structure for safety and the assignment of responsibilities within 
that structure is vital to the realization of the goals and objectives of the safety 
program, but that function is outside the scope of this policy statement and 
discussion and is left to the overall management of SEI using the policy as 
guidance. 

Safety is essential to the success of the program. Management should take 
specific actions to develop and maintain a safety consciousness among all 
program participants and throughout all aspects of the SEI nuclear propulsion 
program. This requires that management be committed to the health and safety 
of its workers and the public and the protection of the environment, that this 
commitment be communicated to all program participants, and that safety be 
given explicit consideration in all technical, operational, and programmatic 
decisions. The goal is for the commitment to safety to so pervade the program 
that all participants recognize their safety responsibilities and automatically 
consider the safety implications of their work. 


2-3 




NSPWG Report 


3. Recommended Safety Requirements for Flight Systems 

3.1 Intended Use of Recommended Requirements 

The requirements presented in this section and the guidelines given in 
Section 4 are recommended for use by SEI program safety management to 
develop program Safety Functional Requirements. A different set of Safety 
Functional Requirements will be needed for other space nuclear programs and 
applications. The recommended safety requirements, and the recommended 
guidelines provided in Section 4, should also be useful for the purpose of 
conceptual design and program planning. 

As the nuclear propulsion program progresses and systems designs mature, 
the Safety Functional Requirements may need to be modified to maintain the 
intent of the Safety Policy. Nuclear systems designers and developers should be 
allowed to propose modifications to the requirements to make them more 
applicable to the developing systems. The justification for such changes should 
include the demonstration that the replacement maintains or improves the level 
of compliance with the program Safety Policy. Any modifications to Safety 
Functional Requirements will require formal approval by program safety and 
cognizant agencies through an established review and approval process. 
Approval of revised safety requirements must be based on an assessment that 
revisions are consistent with the philosophy of reducing risk to as low as 
reasonably achievable. This process of proposing revised or supplementary 
safety requirements allows the requirements to be adapted to the developing 
program. This process can also stimulate innovation and the creation of systems 
designs that will lead to improved safety and system performance. When 
establishing or modifying Safety Functional Requirements, preference should be 
given to inherent or passive safety measures over the incorporation of active 
safety features. Revisions to design specifications affecting safety should be 
based on this philosophy as well. 

3.2 Recommended Requirements 

Recommended safety requirements were developed for reactor start-up, 
inadvertent criticality, radiological release and exposure, disposal, entry, and 
safeguards. Both quantitative and qualitative requirements have been 
recommended. Quantitative requirements for radiological exposures were 
recommended only when applicable established guidance could be cited. More 
specific and quantitative design requirements must be developed as the program 
matures and specific concepts and missions are defined. The development of all 
recommended requirements (and any subsequent modifications) must be 
compatible with the fundamental philosophy of reducing risk to as low as 
reasonably achievable. 

The recommended requirements are presented and discussed below. 


3-1 


NSPWG Report 


3.2.1 Reactor Start-Up 

Safety issues concerning reactor start-up and operation during the 
prelaunch, launch, and deployment phases are included under the heading of 
reactor start-up. 

A reactor fueled by uranium 235 that has never been operated has a very 
small radioactive inventory. This inventory is limited to the natural 
radioactivity of the fuel. Very low-power operation, which may be employed 
for ground testing, produces a negligible increase in the radioactivity of the 
reactor system. During power operation, significant neutron and gamma 
radiation emanates from the reactor. If the reactor operates at an appreciable 
power level for a sufficient length of time, the reactor will accumulate a 
significant radioactive inventory that can remain after reactor shutdown. Thus, 
radiation from an operating reactor or a reactor that has been operated at an 
appreciable power level could cause a significant exposure to ground operations 
crews and to launch crews. For a pre-launch, launch, or deployment accident 
with an operating reactor or a reactor that has been operated at significant 
power levels, additional issues are raised concerning the potential for radiation 
exposure to the public and the release of radioactive materials into the 
environment. 

The current NASA mission planning documents for SEI (e.g., Stafford 
1991) do not include suborbital reactor operations in their mission planning 
options; consequently, scenarios requiring suborbital start-up were considered to 
be beyond the NSPWG scope. Considering this scope, a simple and prudent 
approach to address the issues under discussion would be to require that the 
reactor not be operated and remain shutdown until an acceptable orbit is 
achieved. Very low-power testing of the reactor on the ground should be 
excluded from this requirement, provided that the fission and activation product 
inventory from testing is negligible at the time of launch. Reactor shutdown, as 
used in this discussion, is defined as being subcritical by an adequate margin 
and incorporating positive measures to ensure that the reactor remains securely 
subcritical. The recommended requirement for reactor start-up is as follows: 

• The reactor shall not be operated prior to space deployment, 
except for low- power testing on the ground, for which negligible 
radioactivity is produced. 

• The reactor shall be designed to remain shut down prior to the 
system achieving its planned orbit. 

A "planned orbit" is an Earth orbit condition, prior to insertion into an 
interplanetary or Earth-Lunar trajectory, that has been predetermined to be safe 
for reactor start-up operations. 

3.2.2 Inadvertent Criticality 

When shut down, a reactor is subcritical; that is, it cannot support a 
neutron chain reaction. In this state the reactor is producing no fission power 
and no additional radioactive inventory. A reactor accident could cause the 
reactor to become critical by causing changes in the configuration of reactor 



NSPWG Report 


materials or by changing the material environment of the reactor. Fuel 
compaction and water immersion from a launch or inadvertent entry accident 
are examples of these potential accident-caused changes. An inadvertent 
criticality event can produce significant radiation and can increase the 
radioactive inventory of the reactor. When additional accident conditions are 
postulated, criticality could pose a potential hazard to the crew, the public, and 
the environment. If sufficient power is produced during an inadvertent 
criticality event, disruption of the reactor system could occur, with the potential 
for release of radioactive materials to the environment. The potential for 
inadvertent criticality can be essentially precluded by incorporating features to 
assure a secure shutdown during launch (see Subsection 3.2.1) and assuring 
highly reliable shutdown features for accidents. The recommended requirement 
for inadvertent criticality is as follows: 

• Inadvertent criticality shall be precluded for both normal and 

credible accident conditions. 

3.2.3 Radiological Release and Exposure 

Guidance on radiological releases and exposures to radiation from reactor 
propulsion systems deployed in space are needed to protect the mission crew, 
space environment, and Earth environment. The protection of other space 
enterprises, such as other space missions involving astronauts, is encompassed by 
protection of space environments. In addition, the mission spacecraft must be 
protected from any adverse effects that could result from radiological releases. 
This guidance pertains to routine operation and potential accidents in space. 
Space, in this context, includes all regions beyond Earth’s biosphere, including 
other celestial bodies. Radiological release and exposure prior to intended 
operation or in the event of inadvertent Earth entry are covered in Subsections 
3.2.1, 3.2.2, and 3.2.5. Principal reactor sources of radiation include neutrons 
and gamma radiation that have not been stopped by radiation shielding, 
potential fission product release, and positron and electrons produced from 
gamma interactions with the system. Charged fission products, positrons, and 
electrons can be trapped in Earth’s magnetosphere and remain a source of 
radiation for a period of time. Trapped radiation can contribute to the crew 
dose and can adversely affect other space enterprises, such as satellite gamma 
ray observations. 

For routine operation and expected occurrences, allowable doses can be 
preestablished. For accidents, deterministic requirements are inappropriate and 
probabilistic guidance is recommended. In all cases the principle of reducing 
radiological risk to as low as reasonably achievable should be used to enhance 
safety. Current NASA guidance for total whole body dose is 50 rem/year, of 
which 5 rem/year may be received from man-made on-board radiation sources 
(see 29 CFR 1910.96 [U.S. OSHA, 1989]). Since the natural background 
radiation dose to the crew will be quite high for some proposed SEI missions, 
the 5 rem/year dose limit from reactor radiation is both reasonable and prudent. 
Pursuant to 29 CFR 1960.18 (U.S. OSHA, 1991), NASA has adopted the 
recommendations of the National Commission on Radiological Protection and 
Measurements (NCRP, 1989) as its supplementary standard for space flight crew 
radiation exposures. NASA implementation of this standard requires, among 
other things, that exposure limits for on-board radiation sources comply with 29 


s-s 



NSPWG Report 


CFR 1910.96, except where the NASA mission or objectives cannot be 
accomplished otherwise. 

Radiological release to the sp ace environment may have a significant or 
insignificant effect depending on where and when it is released and depending 
on the quantity and type of radiation released. For example, an appreciable 
release of long-lived radioactive materials on the surface of the moon would be 
unacceptable and in violation of international treaties. On the other hand, it 
could be acceptable to allow released radioactive materials in some regions of 
deep space to decay and dissipate over a period of years. Conditions for 
releases in space and potential future space enterprises are too numerous to 
allow quantitative guidance at this stage. 

No established guidance was found that would be directly applicable for 
setting quantitative limits for radiological contamination of Earth’s environment 
from space activities. A conservative requirement for releases in space 
potentially affecting Earth’s environment would be to assure that any 
radiological contribution to Earth’s environment is much less than the 
radiological guidelines for terrestrial activities. For example, the US 
Environmental Protection Agency limitations for radiological environmental 
contamination of US territory could be the most appropriate guideline. 

The recommendations presented here recognize that any radioactive 
releases in space, for both normal and accident conditions, should have an 
insignificant and probably undetectable effect on Earth’s environment. Based 
on these considerations the requirements for radiological release and exposure 
are as follows: 

/. Routine Operations and Expected Occurrences 

• Use 29 CFR 1910.96 dose limits for on board radiological 

sources. 

• Radiological releases from the spacecraft shall not impair its use. 

• Radiological release from the spacecraft shall not contribute 
significantly, over an extended period of time, to any local space 

environment. 

• Radiological release from the spacecraft shall have an 
insignificant effect on Earth. 

II. Accidents 

• The probability of accidents involving radiological release 
affecting the immediate or long-term health of the crew shall be 
extremely low. 

• For those accidents involving radiological release for which the 
crew is expected to survive, the radiological release shall not 
render the spacecraft unusable. 


3-4 



NSPWG Report 


• The probability of a significant radiological effect from an 
accident on any local space environment over an extended period 
of time shall be extremely low. This environment includes other 
space enterprises. 

• The consequence on Earth of a radiological release from an 
accident in space shall be insignificant. 

The term "insignificant" as used here for the effect on Earth of a 
radiological release in space means "much less than the value specified for 
terrestrial guidelines." An "extremely low probability event" is one that is not 
expected to ever occur during the execution of the SEI program. "Significant" 
means "greater than the most appropriate guideline or norm." An "extended 
period of time" is understood to mean "encompassing the time period of 
potential future space enterprises in the region of space under consideration." 

The requirement presented above for radiological effects from accidents on 
the spacecraft apply only to radiological effects. Reactor failures or accidents 
might render the spacecraft unusable from factors other than radiological 
effects. These other factors must be addressed as reliability considerations, and 
their management must be consistent with the philosophy of reducing risk to as 
low as reasonably achievable. 

3.2.4 Disposal 

Disposal plans for space reactor systems and associated spacecraft 
components should be established well before the propulsion system is deployed. 
Furthermore, the method of disposal must be safe; that is, the radioactive 
materials of the disposed reactor system must not endanger the public or the 
environment. Strategies for disposal must preclude entry by orbital decay, in 
order to comply with the requirement for no planned Earth entry (see 
Subsection 3.2.5). The reactor system integrity must be protected for all normal 
conditions and credible accident conditions, including collisons with meteroids 
and orbital debris, that could compromise the user’s ability to dispose of the 
reactor system safely. The potential for contamination of the space environment 
should also be assessed. For example, destructive collisions with space debris or 
meteoroids could contaminate large regions of space. 

After considering a number of disposal options, the NSPWG concluded that 
approaches using disposal out of Earth orbit are preferred. Other disposal 
options should be evaluated and compared to determine the approach in which 
risk is reduced to as low as reasonably achievable. Based on these 
considerations, the requirements for disposal are as follows: 

• Safe disposal of spent reactor systems shall be explicitly included 
in Space Exploration Initiative mission planning. 

• Adequate and reliable cooling , control, and protection for the 
reactor system shall be provided for all normal and credible 
accident conditions to prevent reactor system disruption and 
degradation that could preclude safe disposal. 


3-5 


NSPWG Report 


3.2.5 Entry 

Entry refers to an event in which a reactor system enters the atmosphere 
or impacts the surface of Earth or another celestial body. Entry issues include 
the potential for the release of fission products and activation products into 
Earth’s or another planet’s environment and the potential for exposure from 
direct radiation from the reactor. Radioactive release due to entry can result 
from the effects of passing through a planetary atmosphere or from reactor 
disruption from impact. 

Precluding planned Earth entry is recommended as a prudent means to 
reduce risk to as low as reasonably achievable. Landing nuclear propulsion 
systems on celestial bodies other than Earth is permitted, provided that the 
requirements for radiological release and exposure are met. Furthermore, 
planned Earth entry refers to mission planning and does not include planning 
following unforeseen events. For example, a mission terminated prior to the 
reactor generating a significant radioactive inventory is an unforeseen event. 
The return of the reactor system to Earth for this situation would not be 
precluded if it can be shown that the operation can be carried out safely. 

The reactor system could enter inadvertently because of a misdirected 
thrust, fragmentation in orbit and subsequent decay, or from other causes. 
Inadvertent entry could occur during the launch, operation, or disposal phases. 
Once deployed, the potential for inadvertent entry can be largely prevented by 
proper choice of orbits and trajectories and careful maneuvering of the 
spacecraft when making trajectory adjustments. Should inadvertent entry occur, 
significant radioactive contamination or exposure can be prevented by ensuring 
that the reactor remains intact following entry and impact. Alternatively, risk 
can be reduced by ensuring essentially full high-altitude dispersal of 
radioactivity. A reactor is essentially intact if it retains sufficient integrity to 
maintain subcriticality and to keep radioactive fuel, solid fission products, and 
structures together collectively. (Inadvertent criticality from an inadvertent 
entry is covered in Subsection 3.2.2 as an accident condition). "Essentially full 
dispersal" means that radioactive material is widely dispersed in the atmosphere 
as an aerosol such that the consequences on Earth’s environment are 
insignificant (much less than for terrestrial guidelines). The consequences of 
other entry modes (e.g., partial disruption) are expected to be greater than for 
either intact entry or full dispersal. 

Should inadvertent entry and impact occur, emergency response measures 
will be more effective for small areas of distribution of system debris. The 
location and cleanup of system debris is simpler for debris confined to small 
areas than for widely scattered debris. Recommended requirements for entry 
are as follows: 

• Planned Earth entry shall be precluded from mission profiles. 

• Both the probability and consequences of an inadvertent entry 
shall be made as low as reasonably achievable. 


3-6 


NSPWG Report 


• For an inadvertent entry through an atmosphere, the reactor shall 
be essentially intact, or, alternatively, shall result in essentially 
full dispersal of radioactivity at high altitude. 

• For an impact, radioactivity shall be confined to a local area to 
limit radiological consequences. 

• The reactor shall remain subcritical throughout an inadvertent 
entry and impact. 

3.2.6 Safeguards 

The safeguards topic encompasses all measures provided to control and 
protect the nuclear system and special nuclear materials (SNMs). The theft, 
diversion, loss, or sabotage of special nuclear materials must be prevented 
during all phases of the program. If special nuclear materials fall into 
unauthorized hands, national or subnational entities may utilize the materials for 
a nuclear weapon. The likelihood of successful unauthorized use can be 
reduced by early detection and maximizing the available response time. Prior to 
launch, successful theft, diversion, or sabotage can be made extremely unlikely 
through the application of standard, proven physical security and safeguard 
methods and procedures. Subsequent to launch, potential unauthorized use is 
generally limited to selected abort or accident situations where opportunity and 
accessibility exist. 

Proven safeguards approaches developed for terrestrial use are applicable to 
the protection of nuclear propulsion system hardware and SNM prior to launch. 
It is important to ensure, to the extent practicable, that this existing safeguards 
technology is not precluded or compromised by the nuclear propulsion system 
design. Also, design options exist which can enhance safeguards of nuclear 
propulsion system hardware. This is particularly true with respect to the 
nuclear fuel, especially its composition and material form. In assessing such 
options, consideration should be given to preserving the direct applicability of 
existing safeguards technology. Based on these considerations, the 
recommended safeguards requirements are: 


• Positive measures shall be provided to control and protect the 
nuclear system and its special nuclear materials (SNM) from 
theft, diversion, loss, or sabotage. 

• To the extent practicable, the design of the nuclear system shall 
incorporate features that enhance safeguards and permit proven 
safeguards methods to be employed. 

• Positive measures or features shall be provided to facilitate timely 
identification of the status as well as the location and, if 
necessary, recovery of the nuclear system or its SNM. 


S-7 



NSPWG Report 


4. Recommended Guidelines for Flight Systems 

4.1 Intended Use of Guidelines 

Safety guidelines are recommended for use by the program to establish 
program plans as well as design and operational requirements for the 
development of nuclear propulsion systems for SEI. Some of these guidelines 
may be useful for formulating additional Safety Functional Requirements. 
Safety guidelines are recommended for risk/reliability, operational safety, flight 
trajectory and mission abort, as well as space debris and meteoroid safety 
considerations. 

4.2 Recommended Guidelines 
4.2.1 Risk/Reliability 

Considerations, discussion, and recommendations related to risk and 
reliability evaluations have been combined because of their common need to 
evaluate failure mechanisms and the probability of their occurrence. The design 
and development activities directed toward assuring high reliability in system 
features and functions should receive major emphasis in any nuclear program. 
The reliability of the safety functions, in particular, are critically important to 
reducing risks both during ground testing and for the flight mission. 

4.2.1. 1 Reliability Program. All activities in the SEI program, including 
the nuclear propulsion activities should be guided by a formal reliability 
program based on a common technical approach. The reliability program should 
focus on the generic problem of demonstrating high reliability at the system 
level based on feature and component testing and a few subsystem-level tests. 
The reliability program should be integral with the engineering design and 
development activities to maximize the usefulness of test data. This means that 
reliability technologists should support definition of the design and development 
testing, and these efforts should include margin testing and test -to- failure 
activities necessary to support demonstration of reliability. 

The reliability program should include analytical activities to relate 
empirical data to systems-level performance objectives and support definition of 
data requirements. These analytical activities should also be used to support the 
establishment of priorities for the data requirements. Highest priority should be 
given to the design and data requirements that support evaluation and 
demonstration of the reliability of safety functions. For example, demonstration 
of the reliability of the control system to perform the shutdown function is very 
important to safety. Shutdown heat removal and its role in retaining radioactive 
materials is also an important safety function, especially in ground testing. 

The reliability program should focus on identifying and eliminating, if 
possible, mechanisms that can cause failure. Standard methods, such as Failure 


4-1 



NSPWG Report 


Modes and Effects Analysis (FMEA), should be applied to search systematically 
for failure mechanisms. Identified failure mechanisms that cannot be 
eliminated should have demonstrated margins relative to the required 
performance lifetime. 

Large subsystem tests and flight system tests should include activities that 
provide assurance that tests can be conducted with a high probability of being 
completed as planned. These activities should be integrated with the quality 
assurance activities and could include elements such as a critical items list. The 
reliability program should also include activities to support establishing design 
and procurement specifications of those parts required to achieve the reliability 
objectives. 


4.2. 1.2 Risk Analysis. All program elements should support the safety 
policy objective of assuring that risks are as low as reasonably achievable. 
Design-basis mission risk analysis should be initiated as soon as possible to serve 
as the foundation of the future baseline mission risk analyses. The risk analysis 
tasks should provide analytical evaluation of the risk to individuals and the 
environment associated with each major task. This information should be 
compiled and reported to the responsible line management for use in the 
decision making process. The risk analysis information should also be used to 
guide safety design requirements and safety testing and analysis development 
activities. Figure 4-1 illustrates the proposed role of risk and safety analysis in 
SEI. Several types of risk assessments and analysis will be required to 
incorporate the nuclear and space technology elements into a common set of 
methods. 

For large, expensive nuclear systems, it is not practical to obtain large 
samples of system-level failure rates. Nor is it practical to run large-scale tests 
for severe accident consequences included in risk assessments. These issues can 
only be addressed through detailed probabilistic analysis using subsystem and 
piece-part failure-rate data and phenomenological test data on failure 
mechanisms and accident consequences. Much has been accomplished in the 
fifteen years since WASH- 1400 (Rasmussen, 1975) was published to advance the 
methods for reliability prediction and risk assessment. The methods, when 
appropriately applied, focus on assuring that high-quality judgments are derived 
from test data and validated analyses. These methods have been used in a 
preliminary fashion to perform a Mission Risk Analysis (MRA) for SP-100. 
The safety analysis reports (SARs) and safety evaluation reports (SERs) for past 
RTG-powered space missions also involve extensive use of probabilistic risk 
assessment methods. 

The reliability analysis activities should be coordinated with the risk 
analysis activities to avoid duplication of effort and potential inconsistency in 
approach or evaluations. For example, activities such as fault tree analysis 
required to perform safety/risk assessments should use the same data base as the 
reliability program activities. 


4-2 



NSPWG Report 


Proposed Role of Risk and Safety Analysis in SEI 



Figure 4-1. Proposed Role of Risk and Safety Analysis in SEI (Simplified) 


4-3 









NSPWG Report 


Risk analyses will require the results of consequence analyses and the 
testing used to validate consequence models. Consequence analyses and testing 
provide prediction of potential accident sequences and the uncertainties 
associated with these predictions. Consequence analysis and testing must be 
integrated with the risk analyses methods. For example, uncertainties in 
trajectory analysis for abort sequences should be systematically investigated and 
factored into the mission risk analysis. Several acceptable ways to structure 
these types of activities are possible, and it is important to tailor these efforts to 
the specific organization structures and types of technology. Since this 
information is not yet available, very specific recommendations concerning these 
activities cannot be provided at this stage. Risk analysis activities must be 
integrated sufficiently well to make it possible for the line management and 
safety technologists to demonstrate jointly the safety adequacy of flight designs 
and test facility operations. 

Figure 4-2 illustrates the activities and interfaces that should be maintained 
between the reliability and risk analysis activities (top and bottom paths on the 
figure, respectively). Feedback activities have been omitted to simplify the 
diagram, but several iterations of the identified activities can be anticipated. 
Starting at the left of the figure, conceptual designs will be used to plan 
development activities. Both analytical methods and testing related to failure 
probability and failure consequences will be required to support the risk 
analysis. Data bases currently available, as well as those unique to SEI, should 
be compiled and controlled for common use in the program analysis. Two 
activity boxes identify the expert judgement processes that need to be 
developed and commonly applied to both probability and consequence results 
used in risk analysis. Probabilistic, consequence, and mission event trees all 
feed into the risk analysis, the output of which is used to develop safety 
requirements and support safety analysis reports. The reliability analysis 
activity and the consequence analysis also directly support the development of 
safety requirements used for system and mission design. 

4.2.2 Operational Safety 

All missions planned in SEI, whether piloted, cargo, or robotic, require 
long operational sequences that include a large number of varied operations. 
Consideration of these operations and the design strategy to assure that they can 
all be accomplished safely should be completed as early as practical. Early 
objectives include: (1) incorporation of adequate safety margins and operational 
safety features in the design, (2) identification of all developmental equipment 
required to support safe operations, and (3) identification of the design duty 
cycles and environmental conditions that this equipment must accommodate to 
assure its reliability for all mission phases. Normal, abort, and credible accident 
sequences must be included. A high level of computer simulation is 
recommended. Candidate human-machine interface equipment should be 
integrated with nuclear system simulators. It is important that these tasks be 
given priority and visibility so requirements that will lead to acceptable levels 
of mission safety can be established. 


4-4 



NSPWG Report 



Figure 4-2. Recommended Application of Reliability and Risk Analysis in SEI 
Nuclear Propulsion Program 


4-5 












NSPWG Report 


Eight issues have been identified in this discussion as potential topics to be 
addressed by the operational safety activity. Other high-priority issues may be 
identified that should also be integrated into this effort. Although this effort 
and the topics addressed also apply to considerations other than safety, the 
recommendations and discussion provided here place emphasis on operational 
safety. 

4.2.2. 1 Integrating Safety Considerations. The first level of safety is 
provided by sound design and operational practice. This means that it is 
desirable to have large margins between the operating envelope and the 
operational states that approach failure. The designer and developer should be 
aware of the need to identify the margins in the design. When beneficial and 
practical, the margins should be increased relative to safety limits. 

4 .2 .2.2 Criticality and Control Calibration. As part of the acceptance 
testing, it will probably be necessary to achieve reactor criticality and calibrate 
the control devices and instrumentation. This operation may take place at the 
factory or launch site. The approach to this operation should be considered 
during the conceptual and preliminary design phases. The pre-operational 
safety aspects associated with maintaining safe nuclear critical experiments are a 
part of this activity. Control system design or supplementary features required 
to assure a very low probability for inadvertent criticality during these 
operations should be considered. 

4.2.2.3 Role of Flight Crew in Nuclear Operation. It is almost certain 
that even during piloted missions the reactor(s) will automatically start up and 
restart and will be automatically controlled. However, it is equally certain that 
on piloted missions the crew will have opportunities to intervene in these 
automatic actions, if in their judgement this is warranted. The information 
required to support their making sound decisions will influence instrumentation 
requirements. Response actions could also have special requirements that merit 
early consideration so that the system is designed to perform properly in an 
emergency. Pilot roles and procedures should be identified so that 
instrumentation and information for pilot emergency actions or intervention, if 
any, are identified and developed. 

4. 2. 2. 4 Instrumentation Requirements and Operational Strategies. 
Autonomous control will be required for cargo and robotic missions and will 
probably be used for piloted missions. Diagnostic and fault correction systems 
will be necessary to achieve the high systems reliability requirements. These 
strategies must include features to reduce inadvertent or spurious shutdowns. 
Spurious shutdowns could adversely affect crew safety. These strategies and the 
equipment to implement them have safety implications that require evaluation as 
soon as practical in the design cycle. Sensor information reliability and 
confirmation of the reliability of diagnostic and fault correction strategies will 
require thorough consideration. 

4. 2. 2. 5 Development of the Operational Duty Cycle. The nuclear 
propulsion system operational duty cycle must be identified to assure adequate 
margins in the design. Thermal and mechanical cycling can be very important 
to failure analysis. Early identification of the duty cycles and their relationship 
to planned mission and abort strategies are needed to allow safety evaluations to 


4-6 



NSPWG Report 


influence the establishment of adequate margins in the design duty cycle. This 
effort would also contribute to identification of features needed for shutdown 
heat removal. 


4.2. 2.6 Extra Vehicular Activity (EVA). The system developer and 
mission designer should avoid EVA (planned or contingency) during all mission 
phases because of the significant hazard and complication associated with an 
EVA. If in-flight EVA is absolutely required, reactor shielding and EVA 
protected zone (shielded) constraints and requirements must be established. For 
nuclear propulsion systems that release toxic or radioactive material during 
operation, the system developer and mission designer must consider provisions 
for on-board procedures and facilities for post-EVA radiation detection, 
containment, and, if necessary, decontamination. Specific guidelines, 
procedures, constraints, and requirements addressing these and other possible 
EVA nuclear propulsion issues should be established by the system developer 
and mission designer. 

4.2.2.7 Proximity Operations. Proximity operations during SEI missions 
include orbit and interplanetary flight activities involving vehicle rendezvous, 
docking, and station keeping. After reactor start-up, exposure to reactor 
radiation will be a major concern for these activities. The nuclear propulsion 
system developer and the SEI mission designer must consider reactor shielding, 
protected zone (shielded) and distance constraints and requirements for all 
proximity operations planning. Guidelines, constraints, and requirements should 
be established to address these issues. 

4.2.2.8 Testing and Surveillance. It will be necessary to conduct both 
testing and surveillance of various nuclear propulsion subsystems and their 
interfaces with other subsystems at times during flight. The need to conduct 
such tests is related to the mission profile and the variation in the operational 
state of subsystems. For example, each period of reactor operation and 
thrusting could be followed by a long period of shutdown and coasting. Prior 
to powered restart it will be necessary to identify the instrumentation and 
control actuators that are still operational and, if some have failed, to identify 
the level of redundancy and associated operational strategy. To assure that the 
testing and surveillance activities can be completed, it is first necessary to 
identify them and the procedures for testing and verifying their operation. 

4.2.3 Flight Trajectory and Mission Abort 

In addition to the many and varied inputs, constraints, and requirements 
necessary for chemical thrust mission trajectory planning, the designers of SEI 
missions using nuclear propulsion must address the nuclear safety issues during 
the process of trajectory design, analysis, and selection. Specific nuclear safety 
issues that should be addressed are discussed elsewhere in this report. The 
sections that discuss these nuclear safety issues are referenced below: 

• Reactor Start-Up Requirements — Subsection 3.2.1 

• Inadvertent Criticality — Subsection 3.2.2 

• Radiological Release and Exposure Requirements — Subsection 3.2.3 

• Disposal Requirements — Subsection 3.2.4 

• Entry Requirements — Subsection 3.2.5 

• Risk/Reliability Guidelines — Subsection 4.2.1 


4-7 


NSPWG Report 


• Operational Safety Guidelines — Subsection 4.2.2. 

Specific mission-abort principles should be developed with systematic risk 
analysis, and where practical, should jnclude provisions for addressing the 
nuclear safety requirements listed above. In the event of mission abort after 
nuclear system operation, flight elements should have sufficient alternate 
(nuclear or non-nuclear) propulsion capability to return the crew safely and 
place the nuclear reactor in the planned or alternate disposal trajectory. 

4.2.4 Space Debris and Meteoroids 

Meteoroids and space debris are a part of the space environment and need 
to be considered in the development of safety and reliability requirements. The 
technology required to quantify this environment and provide protection for 
spacecraft is ongoing. Unique features associated with nuclear propulsion 
systems requiring special development attention have not been identified. The 
ongoing development efforts for sensors and protective materials to address 
debris and meteroids concerns may need to be supplemented to support the SEI 
programs. Improved measurement and modeling of the environment could be 
of benefit to the spacecraft and propulsion system designers. Because of their 
large radiator areas, NEP systems are likely to require more attention to 
protection from space debris and meteoroids than NTP systems would. The 
need to accommodate particle impacts may be the limiting factor for minimizing 
the mass of large NEP radiators. For NTP systems, pressure requirements and 
structural requirements result in relatively thick fuel tanks and other large 
surfaces of potential concern. These thicker components for NTP systems 
reduce their potential vulnerability to particle impacts. 

Mission trajectories for most candidate SEI missions require relatively short 
time periods in the space debris environment; consequently, the probability of 
debris impacts is relatively low and substantial protective features might not be 
required. NEP- powered missions will have longer periods of exposure to space 
debris but exposures will be still relatively short compared to spacecraft that 
continually orbit Earth. 

A second issue related to space debris is the potential that SEI spacecraft 
and power systems have for adding debris to the environment. Of greatest 
concern is addition of debris to the orbital environment surrounding Earth, but 
more generally to include the orbits of other planetary environments visited by 
the spacecraft. The National Space Policy requires, 

"... All space sectors will seek to minimize the creation of space 
debris. Design and operations of space tests, experiments and systems 
will strive to minimize or reduce accumulation of space debris 
consistent with mission requirements and cost effectiveness. The U.S. 
Government will encourage other space-faring nations to adopt 
policies and practices aimed at debris minimization . . ." 

The nuclear propulsion system designers need to be made aware of these 
requirements and take measures to control release of debris material. These 
requirements may have greater implications for any NTP systems that release 
some particulate in the coolant flow. Even though these particles may be 


4-8 



NSPWG Report 


extremely small, the potentially large numbers of them will influence 
requirements for limiting erosion of the fuel surface. 


4-9 




NSPWG Report 


5. Recommended Guidelines for Ground Activities 

Safety requirements for ground testing nuclear propulsion reactors are 
needed to establish facility designs. Requirements are needed in two broad 
categories: (1) requirements for testing that will assure flight systems achieve 
the program safety objectives and support launch approval, and (2) requirements 
to assure that ground testing will be conducted safely. Subsection 5.1 addresses 
the first category and Subsection 5.2 addresses the second category. Much of 
the work identified in Subsection 5.1 supports ground test safety objectives as 
well as flight test safety objectives. 

S.l Ground Test Needs for Safety Validation 

5.1.1 Background 

Control of hazards associated with space nuclear propulsion systems will 
require safety test information to validate analysis and to support both 
establishing and demonstrating compliance with safety requirements. Early 
guidance is needed to identify the scope of testing needed to support flight 
system safety and test facility safety requirements. Care should be taken not to 
confuse safety requirements for ground testing with those for the flight system. 

Nuclear propulsion systems technology varies over a broad range and the 
design options for many candidate concepts are also quite varied. Options based 
on advanced NERVA technology solid fuel designs are reasonably definitive in 
their features, while other designs employing innovative liquid and gaseous fuel 
forms are only conceptual with little design and performance data available. 
Recommendations based on available information are of necessity based heavily 
on solid core design and the NERVA/Rover program experience. Although 
preliminary recommendations are useful for the innovative designs, further 
development of the design concepts must proceed before safety testing 
requirements unique to their characteristics can be developed. As the 
innovative concepts become more developed, the facility plans and safety testing 
issues must be reviewed to identify any additional safety testing requirements. 

5.1.2 Recommendations 

The safety program should include a task to define and assure completion 
of the testing required for flight system safety. This element of the safety 
program should focus on data required to assure the safety objectives, as they 
apply to the flight systems, will be achieved. These data are necessary to obtain 
flight approval. Some of the data identified will also be useful to other major 
tasks, such as ground testing of propulsion reactors. 

Flight safety tasks can be logically separated into four groupings: launch 
phase, operation phase, disposal phase, and inadvertent entry. The list 
represents candidate testing that should be considered for the purpose of 


5-1 



NSPWG Report 


planning test facilities only. This does not represent a recommendation that the 
testing will actually be needed for flight approval. Specific designs are required 
to establish the actual safety testing requirements. 


Candidate Testing to Support Safety Evaluation 

A. Launch Phase Safety 

1. Critical experiments for accident-caused geometries or introduction of 
moderator or reflective material. 

2. Core material behavior for solid booster fire environments. 

3. Exposure of safety features to launch pad explosion and fire environments. 

B. Operational Phase Safety 

1. Measurement of inherent core reactivity mechanisms for assuring stable 
control. 

2. Reliability of control, shutdown, and shutdown cooling features. 

3. Demonstration of adequacy of flight system operator interfaces and 
operating procedures. 

4. Adequacy of instrumentation calibration, reliability and lifetime data. 

5. Measurement of fission product release or fission product retention. 

6. Transient testing of fuel under design-basis accident conditions. 

7. Demonstration of shielding performance including margin to lifetime. 

C. Disposal Phase Safety 

1. Obtain performance and reliability data on features employed to implement 
the disposal plan. Features could include systems for separation of 
disposable items or attachment of disposal devices. 

2. Reliability of reactor systems required to prepare the core for disposal. 


D. Inadvertent Entry 

1. Dynamic impact testing of core elements required to retain the function of 
assuring subcriticality, acceptable retention of radioactivity, and to assure 
functioning for appropriate emergency actions. This would include 
features that assure subcriticality on ground or water impact. 

2. Testing of features required to assure success of the planned response mode 
for inadvertent entry. 

3. Testing of features for location and recovery of debris. 

5.2 Ground Facility and Equipment Safety 

5.2.1 Background 

The discussion and recommendations presented here are based on the 
intended application of the safety policy to the nuclear propulsion reactor test 
facilities, recent SP-100 Nuclear Assembly Test experience, and experience with 
ground testing nuclear power and propulsion reactors. Two basic issues have 


5-2 


NSPWG Report 


been identified: (1) What requirements exist and what requirements should be 
developed and applied to assure safety in ground testing of space nuclear 
propulsion reactors? and (2) What process should be assumed to be applied in 
planning safety reviews of ground testing of nuclear propulsion reactors? 

Many types of nuclear reactors are being evaluated for potential use in 
space nuclear propulsion. NTP reactor concepts include the use of solid, liquid, 
or gaseous nuclear fuel. As previously stated, the solid core concepts are the 
most developed, in part, because of the extensive experience from the 
NERVA/Rover program. The discussion and recommendations that follow are 
based on the issues as they relate to ground testing of solid-fueled nuclear 
thermal rocket engines. The recommendations could be applicable to the 
gaseous- and liquid-fueled NTP concepts, but issues and recommendations 
unique to these concepts could be critical and must wait for more specific 
design detail. The recommendations also apply to the NEP reactors except for 
the effect of using the open cycle in the NTP. NEP system concepts have 
closed reactor coolant systems while the NTP systems use the reactor coolant to 
produce thrust and, consequently have open reactor coolant systems. From a 
ground test safety standpoint, the open and closed cooling approach is the 
singularly significant difference between the NTP and the NEP reactor 
concepts. Otherwise the generic safety issues are common to ground testing of 
both these propulsion reactor types. 

A fundamental safety issue is exposure of people and the environment to 
sources of ionizing radiation. Control of the exposure to toxic materials is also 
important but does not present a unique safety challenge for the more 
developed nuclear propulsion reactor concepts. Safety issues associated with 
storage and handling of large quantities of hydrogen reactor coolant will also 
need attention but should not present new or unmanagable safety issues. Use of 
other reactor coolants may introduce different safety requirements. 

Requirements for the control and release of radioactive material during 
normal and credible accident conditions have been developed for many types of 
ground test reactors. These generally can be applied to the testing of NTP and 
NEP reactors. These requirements focus on providing inherent safety design 
characteristics that permit control of the reactor with highly reliable sensors and 
actuator mechanisms. Features are also provided that assure control of fission 
products even if the highly reliable control systems fail. The usual response to 
such a postulated failure is to shut down the reactor and cool the nuclear fuel 
and structural support so that the reactor remains shutdown and the 
radioactivity remains contained or confined. In the US, large commercial power 
reactors provide containment that is intended to function in the event of 
postulated failure of inherent and engineered safety features. The containment 
retains the radioactivity postulated to be released as the result of damage to the 
reactor core. The established requirements to implement this approach could 
generally be applied to the ground test reactors for NEP application. They 
could also be applied to the ground testing of the solid core NTP test reactors; 
however, the necessity to exhaust the reactor coolant in an NTP reactor engine 
presents a unique area for requirements that have only been considered during 
the NERVA/Rover and Aircraft Nuclear Propulsion programs. In the case of 
the NEP reactor concepts employing refractory metals that require the vacuum 


5-3 



NSPWG Report 


conditions of space during operation, a unique requirement exists for vacuum 
enclosure of the reactor and its coolant boundary. 

Requirements for features to address these unique characteristics must be 
developed based on reducing the risk to as low as reasonably achievable. Thus, 
the safety design activities must include design efforts that evaluate risk- 
reducing design approaches and the practicality of implementing the approaches. 
These approaches could feature inherent reactor characteristics, such as nuclear 
fuel with a substantial capability for retention of fission products, or they could 
use special test facility features such as a shutdown system not intended for use 
in the flight system. 

The operating duty cycle of nuclear propulsion reactors must be considered 
in the safety evaluations. The duty cycle could consist of very short full power 
operating times. This duty cycle may allow safety approaches that achieve both 
high reliability in safety features and reduced sources of radioactivity and decay 
heat. 


Testing of space nuclear propulsion reactors will be conducted on 
government sites in accordance with DOE orders. The DOE orders provide 
requirements and guidance that are generally consistent with the recommended 
policy statement. The DOE orders will require some interpretation in applying 
them to specific testing. Interpretation of specific details should be done as 
part of the process of design development and independent safety review. 
Recommendations relative to the more general elements of the DOE orders are 
provided in the following sections. (DOE orders regulating safety and 
environmental protection are currently being revised and codified.) 

5.2.2 Ground Test Facility Recommendations 

Safety testing to support safety of ground tests of reactor propulsion 
systems should focus on three key functions: 

• reliability of safe reactor shutdown 

• reliability of safe shutdown heat removal 

• control and confinement of radioactive materials during operation and 

postulated accidents. 

Demonstration of reliability of safety functions could be demanding, 
depending on the extent to which components with demonstrated reliability are 
used. The reliability demonstration cannot be accomplished on the basis of 
large sample statistics. It will require reliability modeling and systematic 
evaluation and demonstration of margins relative to identified degradation and 
failure mechanisms. 

The issue of radiological containment or confinement for postulated severe 
accidents requires early attention and must be closely coupled to program 
schedule and strategy. Large safety margins potentially provided by 
containment for severe accidents can be used to simplify and accelerate safety 
evaluations and reviews; however, containment structures can be very expensive. 
Although the program must evaluate severe accident events, the short operating 
time and the durability of the fuels used in nuclear propulsion reactors may not 
demand accident mitigation to achieve the safety objectives. If the physics of 


5-4 



NSPWG Report 


the postulated severe accidents permit demonstration through experimentation 
and analysis of adequate radiological confinement, expensive containment 
structures may be unnecessary. Nonetheless, regulators could place emphasis on 
the issue of radiological confinement for postulated accidents involving severe 
core damage. Developers should give careful consideration to potential 
mitigative approaches for postulated severe accidents. The selected approach 
can only be determined with the knowledge of system design specifics. 

Specific test needs will be dependent on the details of the design features 
in each system. For the NTP system tests it will be necessary to have data on 
fission product release as a function of operating temperature and time. The 
safety and environmental constraints on ground testing these reactors may 
demand greater retention of radioactivity than for a space flight mission. Fuel 
testing for NEP systems will also be required but it is expected to be focused 
more on lifetime and functional reliability concerns than on safety validation. 
Much of the testing will have to be completed for NEP systems based on SP- 
100 fuel. The safety program must provide early focus on demonstration of the 
reliability of shutdown and shutdown heat removal functions to support nuclear 
system level ground testing. 

Ground testing of space nuclear propulsion systems that include nuclear 
fuel and the potential for release of radioactive materials or exposure of 
personnel to direct radiation should, as a minimum, adhere to existing DOE 
orders related to siting and establishment of safety design requirements (DOE 
Order 5480.6 [U.S. DOE, 1986] and DOE Order 5480.4 [U.S. DOE, 1984]). 

The required application of 10 CFR 50 (U.S. NRC, 1991b), Appendix A 
(General Design Criteria for Nuclear Power Plants), in DOE Order 5480.6, 
should be interpreted in terms of the more general requirement of 10 CFR 
50.34(a)(3)(i): that principal design criteria be provided for the facility using 10 
CFR 50, Appendix A as guidance. The mandatory requirement for IEEE279, 
IEEE308, IEEE603, ANS 15.1 and the ASME BPV Code in DOE Order 5480.4 
will also need interpretation when applied to unique equipment associated with 
nuclear propulsion test facilities. The exemption provided for space-based 
nuclear reactors in DOE Order 5480.6, 8.c. should be interpreted to be 
applicable only to flight systems; the exemption should not apply to ground test 
reactor facilities for these systems. 

The requirement in DOE Order 5480.6 for preparation of safety analysis 
reports using NRC guidelines on standard format and content will require 
interpretation. Nonetheless, the concept of identifying design-basis accidents 
and analyzing these to assure adequate safety margins are implemented in the 
design should be retained. The concept should be extended as has been the 
practice with most recent safety reviews of power reactors to include analysis of 
severe accidents that are lower in probability than the design-basis accidents. 
The evaluation of this latter category of accident can be included in a formal 
risk analysis and also used in the establishment of a site suitability source term 
used in conjunction with meeting the siting requirements of 10 CFR 100 (U.S. 
NRC, 1991c) called for in DOE Order 5480.6. The results of these analyses will 
have an important role in establishing the extent of the safety features required 
to assure safe reactor shutdown, shutdown cooling, and control of the release of 
radioactivity. 


5-5 



NSPWG Report 


Siting requirements and specific facility design requirements should be 
established to maintain radiation exposure dose consequence for normal 
operations, including anticipated operational occurrence, to levels consistent 
with 10 CFR 20 (U.S. NRC, 1991a). Although this is not a mandatory standard 
in DOE Order 5480.4, it has been generally adhered to and implements the 
NCRP recommendations for occupational and public exposures to radiation. 
Application of this guidance to the NTP reactor exhaust may require special 
filtering holdup, or location of the exhaust release point. 

The requirements for formal review of the Safety Analysis Reports 
specified in DOE Order 5481. IB should be applied. Organizations and staff 
assigned to complete independent reviews should be identified as soon as 
possible so that a competent and comprehensive review can be completed. 

5.2.3 Transportation Equipment 

A certified shipping container which meets DOT and DOE/NRC 
regulations will normally be required for the transport of fissile material (e.g., 
fuel, fuel rods, or a complete reactor assembly) between the ground test facility 
and the launch site. Although DOE’s Safe Secure Trailer (SST) provides 
adequate physical security for the transport of fissile materials, it is not 
certified to meet the expected requirements for nuclear propulsion reactors and 
there are no plans to obtain SST certification as a shipping container. Thus, 
although the SST can be used as a carrier, a certified shipping container will 
normally be required to ensure its contents will remain subcritical, shielded, and 
adequately contained under normal and specified accident conditions. 

Certified shipping containers exist that may accommodate the fuel and fuel 
forms likely to be used for the spectrum of SEI nuclear propulsion systems 
under consideration. Certified shipping containers capable of meeting the 
expected transportation safety requirements and capable of accommodating a 
full SEI nuclear reactor propulsion assembly have not been identified. 
Therefore, unless assembly occurs at the ground test facility and at the launch 
site, a container will probably have to be designed and built and then analyzed 
and successfully tested to obtain certification before actual use. 

Based on this information, the following recommendations are made: 

• Verify the adequacy and availability of existing certified shipping 
containers for the transport of fuel and fuel forms envisioned for SEI 
nuclear propulsion systems. 

• Because of the demanding certification requirement for nuclear fuel 
shipping containers, the program should, as early as practical, evaluate fuel 
transportation and loading options to determine shipping container 
requirements. 

By focusing appropriate, timely attention on the requirements for a specially- 
designed and appropriately certified shipping container, the program office can 
ensure that this vital equipment will be available for use when needed. 


5-6 



NSPWG Report 


5.2.4 Launch Facility 

Safety procedures must be established, and facility provisions must be 
available, at the launch site to ensure that assembly, storage, checkout, testing, 
and integration of nuclear propulsion system flight hardware will not pose a 
hazard to the public, workers, property, or the environment. Prior to launch, 
nuclear propulsion flight hardware must be handled safely and proper shielding 
must be provided. Adequate physical security and safeguards must be provided 
during the prelaunch phase. As a minimum, storage, checkout, and integration 
will be required at the launch site; thus, an adequate facility must be available 
at the launch site. The program should focus attention on the requirements for 
a special facility at the projected launch site and initiate appropriate actions to 
ensure its adequacy and availability for use when needed. 


5-7 




NSPWG Report 


6. Suggested Future Activities 

This section suggests future activities related to safety that should be 
considered by the SEI program office. Subsection 6.1 addresses the need for a 
safety, quality and reliability program plan and the necessary features of the 
plan. In Subsection 6.2, communication with and participation of the public are 
discussed with some thoughts on how these activities might be pursued. 

6.1 Safety. Quality, and Reliability Program Plans 

As one of its first tasks the SEI nuclear propulsion program, in conjunction 
with the SEI program office, must develop program plans for safety, quality 
assurance, and reliability. These program plans will establish the framework for 
implementation of activities important to safety. Program plans for the overall 
SEI program should also be developed. 

The Safety Program Plan should: (1) establish the scope and importance of 
safety to the success of the program, (2) include a concise statement of safety 
policy for the program, (3) identify specifically how safety will be managed 
within the organizational structure of the program, (4) identify how safety 
assessment within the program and independent safety oversight will be 
conducted, (5) provide technical safety guidance to permit activities to move 
forward and continuously progress, and (6) task the program participants to 
develop a Safety Implementation Plan (SIP) for each functional area or activity. 

Information provided in this report is directly applicable to items (1), (2), 
and (5) identified above; thus, no further discussion of these items is necessary. 

Item (3) addresses the mainline safety program. It will involve technical 
and safety analysis and reviews routinely conducted by management and staff as 
a distinct function. The Safety Program Plan should establish an effective 
safety review process within the program for ensuring safety and the ultimate 
success of the program. Doing so will help management to focus and maintain 
appropriate attention continually on safety throughout the duration of the 
program. More specifically, it will provide management with an indispensable 
means of obtaining timely, objective programmatic and technical safety 
performance assessments. These assessments can serve to verify safety 
performance and may guide the redirection of program activities, when 
necessary, to achieve safety objectives. 

Item (4) identifies two additional safety review functions internal to the 
program but outside the mainline structure, namely independent safety 
assessment and independent safety oversight. The former primarily involves 
technical assessments of mainline safety performance, while the latter is 
broader, encompassing both technical and programmatic safety appraisals, 
including management performance. Both functions demand objective reporting 
of findings and recommendations directly to management. Top management 


6-1 



NSPWG Report 


must put both of these functions in place specifically for itself while also 
authorizing establishment of these functions at lower levels of management. 

Well established procedures for independent safety oversight and 
environmental review and approval of terrestrial nuclear reactors as well as the 
launch of space nuclear systems are in place in the US. These are embodied in 
DOE orders for terrestrial reactors and in the Interagency Nuclear Safety 
Review Panel process for launch approval of nuclear systems (Sholtis, 1991). 
These procedures appear applicable and appropriate for the SEI nuclear 
propulsion program. Thus, planning for the independent reviews should be 
initiated on the basis of these existing procedures. The objectives of this early 
planning should be to confirm the adequacy of these procedures for the SEI 
nuclear propulsion program and provide preliminary schedules for the 
development work needed to support the safety and environmental approval. 

Item (6) involves the development of SIPs. These SIPs are intended to 
ensure proper safety focus throughout the SEI Nuclear Propulsion Program. In 
particular, they must specify how the program participants are going to execute 
their functional activities, and conform with the Safety Program Plan. 

6.2 Public Participation 

The SEI nuclear propulsion program, in conjunction with the overall SEI 
program, should place high priority on the establishment of a plan for public 
participation in the nuclear propulsion program. The plan should emphasize 
two-way communication between the program and the public on the safety 
aspects of nuclear propulsion. Planning should address formal participation 
processes, such as public participation in environmental impact statement 
activities, as well as informal processes. 

Planning for formal communication processes with the public should be 
initiated based on use of existing procedures. The objectives of initial planning 
should be to confirm or modify these procedures, as appropriate, for the SEI 
nuclear propulsion program. Schedules should be established to integrate formal 
communication processes with the activities needed to support safety and 
environmental approvals. 

The initial planning effort for public participation should develop a process 
that addresses the need for meaningful public involvement in that the process: 

• contributes to safety 

• provides a forum for two-way communication between the public and the 
program 

• allows public concerns to be addressed 

• improves public understanding of SEI safety 

• serves SEI program goals 


6-2 



NSPWG Report 


Glossary of Terms 

Accident — an unplanned event with adverse or potentially adverse consequences. 

As Low as Reasonably Achievable (Exposure)— to control or manage exposures 
and releases of radioactive material to the environment as low as social, 
technical, economic, practical, and public policy considerations permit. A 
process to attain dose levels as far below acceptable limits as possible. 

As Low as Reasonably Achievable (Risk) — to reduce risks to levels as low as 
social, technical, economic, practical, and public policy considerations 
permit. 

Credible (Events or Accidents) — those events or accidents that must be 
considered for the system design basis. 

Criticality — the operating state of a nuclear reactor where the neutron 
population in the reactor remains constant over time. 

Critical Items List — a list of component items or technical issues used to focus 
program management attention on items that are most important to the 
control of safety and reliability risks. 

Entry — the event in which a reactor system enters the atmosphere or impacts 
the surface of Earth or another celestial body. 

Essentially Intact — the state in which a reactor retains sufficient integrity to 
maintain subcriticality and keep radioactive fuel, fission products, and 
structures together. 

Extended Period of Time — encompassing the time period of potential future 
space enterprises in the local region of space under consideration. 

Extremely Low Probability Event — an event that is not expected to ever occur 
during the execution of the SEI program. 

Full Dispersal — the wide-spread scattering of a radioactive material in the 
atmosphere as an aerosol such that the consequences on Earth’s 
environment are insignificant. 

Insignificant (radiological consequence on Earth) — much less than the maximum 
allowed by terrestrial guidelines. 

Local Space Environment — the region of space under consideration. 

Low Power Testing — critical operation of a reactor at a sufficiently low power 
level to assure generation of only a negligible quantity of radioactive 
materials. 

Piloted Mission — A space mission carried out with a human crew. 

Planned Orbit — an Earth orbit condition, prior to insertion into a interplanetary 
or Earth-Lunar trajectory, that has been predetermined to be safe for 
reactor start-up operations. 

Probabilistic Risk Assessment (PRA) — the systematic and quantitative 
application of logic models (e.g., fault trees and event trees) and analytical 
techniques to estimate the probabilities and consequences of undesirable 
events. 

Risk — a quantitative or qualitative expression of potential harm or damage that 
considers both the probability that events will cause harm or damage and 
the consequences of those events. 


G-l 



NSPWG Report 


Rover — U.S. nuclear thermal rocket program pursued from the late 1950s 
through the early 1970s, including development of the NERVA reactor 
concept. 

Safeguards — those measures or features used to protect nuclear systems and 
special nuclear materials from theft, diversion, loss, or sabotage. 

Safe — judged to be of sufficiently low risk. 

Safety Analysis Report (SAR) — a report that characterizes the level of safety 
associated with the use of a reactor system. 

Safety Evaluation Report (SER) — report that provides an independent safety 
evaluation of a reactor system based, in part, on a review of the SAR. 

Safety Functional Requirements — requirements delineating specific safety 
functions. 

Safety Guidelines — suggestions and programmatic guidance for safety. 

Safety Policy — a policy that establishes the importance and priority that must be 
placed on safety and establishes the broad framework and overall guiding 
principles for the development and implementation of an effective nuclear 
propulsion safety program. 

Shutdown — subcritical by an adequate margin and incorporating positive 
measures to ensure that the reactor remains securely subcritical. 

Significant — greater than an appropriate guideline or norm. 

Space Enterprises — all human-directed activities within or dependent upon the 
space environment, including satellites, piloted, cargo and robotic space 
missions, and other endeavors. 

Space Environment — all regions of space beyond of Earth’s biosphere, including 
other celestial bodies. 

Special Nuclear Material (SNM) — plutonium, uranium 233, or uranium enriched 
in the isotopes 233 or 235 excluding source material. 


G-2 


NSPWG Report 


References 


National Council on Radiation Protection and Measurements, 1989. Guidance on 
Radiation Received in Space Activities, NCRP Report Number 098, 1989. 

Rasmussen, N.C., 1975. NUREG-75/014 ( WASH-1400 ) Reactor Safety 

Study — An Assessment of Accident Risks in U.S. Commercial Nuclear 
Power Plants, U.S. Nuclear Regulatory Commission, October, 1975. 

Sholtis, J. A., Jr., "The Flight Safety Review/Approval Process for U.S. 
Nuclear-Powered Space Missions," paper presented at the 1991 annual 
meeting of the American Nuclear Society, Orlando, Florida, 2-6 June 1991, 
TANSAO 60-1-464 (1991), Volume 63, ISSN: 0003-018X, pp 284-285, 

June 1991. 

Stafford, T.P., 1991. America’s Space Exploration Initiative , U.S. Government 
Printing Office, May 1991. 

U.S. Department of Energy, 1984. DOE Order 5480.4: Environmental 

Protection, Safety, and Health Protection Standards, May 15, 1984. 

U.S. Department of Energy, 1986. DOE Order 5480.6: Safety of Department 
of Energy-Owned Nuclear Reactors, September 23, 1986. 

U.S. Department of Energy, 1987. DOE Order 5481. IB: Safety Analysis and 
Review System, September 23, 1986, revised May 19, 1987. 

U. S. Nuclear Regulatory Commission, 1991a. U.S. Code of Federal 
Regulations, 10 CFR 20: Standards for Protection Against Radiation, 

January 1, 1991, Office of the Federal Register, National Archives and 
Records, Chapter I. 

U. S. Nuclear Regulatory Commission, 1991b. U.S. Code of Federal 
Regulations, 10 CFR 20: Domestic Licensing of Production and Utilization 
Facilities, January 1, 1991, Office of the Federal Register, National 
Archives and Records. 

U. S. Nuclear Regulatory Commission, 1991c. U.S. Code of Federal 
Regulations, 10 CFR 100: Reactor Site Criteria, January 1, 1991, Office 
of the Federal Register, National Archives and Records. 

U. S. Occupational Safety and Health Administration, Department of Labor, 
1989. U.S. Code of Federal Regulations, 29 CFR 1910.96: Ionizing 


R-l 



NSPWG Report 


Radiation , July 1, 1989, Office of the Federal Register, National Archives 
and Records, Chapter VII. 

U. S. Occupational Safety and Health Administration, Department of Labor, 
1991. U.S. Code of Federal Regulations, 29 CFR 1960.18: Supplementary 
Standards , July 1, 1991, Office of the Federal Register, National Archives 
and Records, Chapter XVII. 

Wahlquist, E.J., 1990. "U.S. Space Reactor Programs," The Anniversary 

Specialist Conference on Nuclear Power Engineering in Space, Transactions 
Part 2, Papers of International Specialist, Obninsk, U.S.S.R., May 15-19, 
1990. 


NSPWG Report 


Appendix A. Charter 

Nuclear Safety Policy Working Group Charter 


NOTE: The NSPWG Panel Membership was changed, with Steering 

Committee approval, to include the individuals on the title page of 
this report. Also, a draft report on the NSPWG was requested for 
September 1991. Both of these changes followed the issuance of the 
NSPWG charter. 


A-l 


NSPWG Report 



Department of Energy 

Washington, DC 20545 
November 16, 1990 


Gary l, Bennett 
Manager 

Advanced Space Power Systems 
NASA Headquarters 
Code RP 

Washington, DC 20546 
Dear Gary: 


( 


( 


C 


At the recent meeting of the ad hoc Space Nuclear Propulsion 
Steering Committee at NASA Lewis Research Center in Cleveland, 
Ohio, I volunteered DOE to exercise its basic nuclear safety 
responsibility by coordinating an effort to evolve a nuclear 
safety policy for Space Nuclear Propulsion in support of the 
Space Exploration Initiative. It was agreed that a technical 
panel, with DOE as lead, would be established to develop a 
proposed nuclear safety policy. Representatives from each of the 
agencies would serve on this technical panel. 

By copy of this memorandum, the individuals noted below are being 
invited to serve on the Nuclear Safety Policy Technical Panel for 
SEI Space Nuclear Propulsion. 


Chairman: 

Vice Chairman: 
Members: 


Technical Advisor: 


Albert Marshall (DOE/HQ/SNLA) 

Charles Sawyers, Jr. (NASA/HQ) 

Alva C. Hardy (NASA/Johnson) 

Jim Lee (DOD/$DIO/SNLA)/Jack Walker (DOE/SNLA) 
John Rice (DOE/INEL) 

Joe Sholtis, Jr. (USAF/AF1SC/SNR) 

George Niederauer (LANL) 

Neil Brown (GE) 


This Nuclear Safety Policy technical panel is chartered to 
develop a recommended nuclear safety policy and philosophy for 
the SEI Space Nuclear Propulsion Program. The panel should try 
to submit by early next summer (June) a consensus set of specific 
recommendations. Some of the nuclear safety areas that the panel 
should specifically address, subject to current mandatory 
regulations and requirements, include top-level policy and 
philosophy; principal elements of the general safety criteria; 
Impacts and changes required for manned systems; criteria for 
inadvertent reentry including subcriticality and impact 
considerations; approaches for redundancy and/or probabilistic 
risk; criteria for reactor fission product release; approaches 
for operational safety during ground testing, launch, startup, 


Figure A-l. Letter from Earl J. Wahlquist, Acting Associate Deputy Assistant 
Secretary for Space and Defense Power Systems 


A-2 



NSPWG Report 


2 

and flight; flight trajectory considerations; safety validation 
philosophy with respect to testing and analysis required; and 
disposal criteria. 

Some outside studies and/or analysis nay be required to provide 
Informed recommendations for some of the proposed activities. As 
the panel keeps me Informed of these needs, I will work with the 
other agencies to make arrangements, to the extent possible, to 
provide the necessary funding to support these activities. 

Completion of this effort will be an important milestone In the 
SEI Space Nuclear Propulsion Program. An approved nuclear safety 
policy and approach for this program would enable the development 
of specific safety requirements. This would permit the first 
program phase of more detailed concept definitions and 
assessments and critical technology demonstrations to get off to 
a quick and more complete start. 


Sincerely, 


Earl <1. Wahlqulst 

Acting Associate Deputy Assistant Secretary 
for Space and Defense Power Systems 


cc: 

Nuclear Safety Policy technical panel members 
Tom Miller, NASA 
Roger Lenard, D00 
John Warren, NE-52 / 

Steve Lanes, NE-50*^ 

Wade Carroll, NE-52 


Figure A-l. Letter from Earl J. Wahlquist, Acting Associate Deputy Assistant 
Secretary for Space and Defense Power Systems (Continued) 




NSPWG Report 


Appendix B. Panel Background 

Robert A. Bari 

Dr. Robert A. Bari is presently Deputy Chairman, Department of Nuclear 
Energy, Brookhaven National Lab. Dr. Bari received his AB in physics in 1965 
from Rutgers University and his Ph.D. in physics in 1970 from Brandeis 
University. Currently, he is responsible for programs on reactor safety, nuclear 
safeguards, radiation protection, waste management, nuclear data center, and 
advanced nuclear concepts. Since 1974 he has been involved in safety 
assessment of commercial, research, and test reactors and other complex 
facilities. Previous assignments in nuclear safety at Brookhaven include: Group 
Leader (1975-1981); Division Head, 1981; and Associate Department Chairman, 
1982-1988. Numerous publications and presentations on probabilistic risk 
assessments, severe accident analysis, and safety goals have been published. He 
has participated in several international programs on nuclear safety through 
OECD, IAEA, and various bilateral agreements. Dr. Bari is a fellow of the 
American Nuclear Society and currently Chairman of its Nuclear Reactor Safety 
Division. 

Mr. Neil W. Brown 

Mr. Brown is presently Manager of Safety and Reliability for the SP-100 
space reactor project at General Electric. Mr. Brown received his B.S. in 
Mechanical Engineering from the University of Washington in 1960 and his 
M.S. in Mechanical Engineering from the University of Santa Clara in 1968. 
He has been employed by General Electric for more than 30 years and has 
worked in both the aerospace and terrestrial nuclear power areas. His work in 
the nuclear area has focused primarily on advanced nuclear systems. Mr. Brown 
participated in safety review and NRC licensing of the Southwest Experimental 
Fast Oxide Reactor and the Clinch River Breeder Reactor. He has also 
contributed safety assessments of both General Electric and DOE studies of the 
safety of advanced reactor concepts including liquid metal cooled, gas cooled, 
and water and steam cooled rea c tors. He is a licensed Professional Mechanical 
Engineer in the State of California. 

Dr. Hatice S. Cullingford 

Dr. Hatice S. Cullingford works as a senior engineer at NASA’s Lunar and 
Mars Exploration Program Office (LMEPO) located at Johnson Space Center. 
Since her Ph.D. and B.S., both in chemical engineering from North Carolina 
State University, Dr. Cullingford has worked in space, nuclear, and 
environmental systems at NASA, Los Alamos, and the AEC/ERDA/DOE. She 
is a registered professional engineer in the state of Texas. Dr. Cullingford’s 
work began with the Liquid Metal Fast Breeder Reactor Program (Clinch River 
Breeder Reactor Project) in reactor system thermal hydraulics, then continued 
with plasma engineering and technology development for magnetically confined 



NSPWG Report 


fusion energy and system design studies for laser fusion and hybrid reactors. 
She has also been responsible for analysis of hydrogen systems, pressurized 
water reactor safety, and alternative concepts for replacement production 
reactors. Dr. Cullingford has been active at NASA in both project and program 
management. Her contributions include technology development and 
demonstration, conceptual designs, and simulation models of environmental 
control and life support for the space station and missions to the Moon and 
Mars. Dr. Cullingford’s current responsibilities include risk management and 
system engineering for SEI. Hatice has been recognized for her long-term and 
strategic planning achievements at both ERDA and JSC. She has produced 
three (one pending) patents and authored about 50 papers and reports. 

Mr. Alva C. Hardy 

Mr. Hardy is employed at NASA/ JSC/Space and Life Sciences/Solar 
System Exploration Division/Space Science Branch. He serves as Radiation 
Subsystem Manager for Space Shuttle dosimetry and technical manager of the 
NASA Johnson Space Center efforts in Space Shuttle and Space Station ionizing 
radiation analysis for crew safety. He received his B.S. in physics and 
mathematics in 1962 from Southwestern Oklahoma State University. Mr. Hardy 
has been with NASA Houston since 1962, with twenty-six years experience 
involved with ionizing radiation analysis and dosimetry activities for NASA 
manned space programs, primarily dealing with radiation issues related to flight 
crew safety. Mr. Hardy provides a basic understanding of the NASA Astronaut 
Ionizing Radiation Risk Limitation System for Space Activities, including 
regulatory/legal requirements, current ground rules and constraints and concerns 
for advanced program applications. 

Mr. Albert C. Marshall 

Mr. Marshall is presently employed at Sandia National Laboratories and 
serves as the Safety Advisor for Space Reactor Systems for the Department of 
Energy. His current responsibilities also include a part-time faculty assignment 
at the University of New Mexico in the Department of Chemical and Nuclear 
Engineering and space reactor work for Sandia National Laboratories. Mr. 
Marshall received a B.S. in Physics in 1965 and an M.S. in Nuclear Engineering 
in 1967, both from the Pennsylvania State University. He has twenty-two years 
work experience in the area of nuclear reactor systems at Sandia National 
Laboratories, General Atomics, and Bettis Atomic Power Laboratory. He has 
worked primarily in the areas of reactor physics, reactor design and analysis, 
and reactor safety for a broad variety of reactor types and applications. He was 
project leader for two large and complex in-core experimental programs to 
explore both light-water-cooled reactor and liquid-metal-cooled reactor severe 
core damage accident phenomenology. Mr Marshall was the lead staff member 
for a comparative assessment of space reactors and has eight years of work 
experience in the area of space reactors. 

Ur- William H. McCulloch 

Dr. McCulloch is presently a distinguished member of the technical staff at 
Sandia National Laboratories. He currently is responsible for reactor safety for 
advanced nuclear power systems. Dr. McCulloch received a B.S. in Engineering 


B-2 


NSPWG Report 


Physics in 1963, an M.S. in Mechanical Engineering in 1964, and a Ph.D. in 
Mechanical Engineering from Texas Tech University in 1964. He is also a 
registered professional engineer in the state of New Mexico and has received 
numerous recognitions for outstanding achievements. He has worked at Sandia 
National Laboratories since 1967 primarily in the areas of Heat Transfer and 
Systems Analysis, Solar Energy Projects, Light Water Reactor Safety and Space 
Nuclear Systems. In 1975, he was assigned from Sandia to the ERDA (now the 
DOE) Division of Solar Energy. He served on the Interagency Nuclear Safety 
Review Panel Power Systems Subpanel of the Galileo mssion and chaired the 
subpanel for the Ulysses mission. Dr. McCulloch has authored or co-authored 
more than 30 technical publications. 

Dr. George F. Niederauer 

Dr. Niederauer is currently SP-100 Project Safety Manager at Los Alamos 
National Laboratory. Dr. Niederauer received his B.S. in 1964 in Mathematics 
and his M.S. in Nuclear Engineering in 1966 from the South Dakota School of 
Mines and Technology. In 1967 he received his Ph.D. in Nuclear Engineering 
from Iowa State University. He has experience with computer code 
development and analysis of light water reactors and liquid metal cooled 
reactors in the areas of reactor physics, kinetics, thermal hydraulics, and heat 
transfer. Management responsibilities included groups involved in computer 
code development for safety analysis, reactor simulators and real time 
monitoring, safety analysis of reactor systems and containment, and risk 
assessment. He has also been employed at Bettis Atomic Power Laboratory, 
NASA Lewis Research Center, Aerojet Nuclear Company, and Energy 
Incorporated. 

Mr. Kerry Remn 

Mr. Remp is currently the Deputy Chief of the Safety Assurance Office, 
NASA Lewis Research Center. Responsibilities include management of systems 
safety activities for all NASA Lewis Research Center spaceflight, terrestrial and 
facility programs, including nuclear propulsion. Space Station Freedom power 
system and numerous satellite and experimental programs. Mr. Remp received 
his B.S. in Marine Engineering, with a minor in Nuclear Engineering in 1982 
from the U.S. Merchant Marine Academy. Some of his achievements to date 
include: Development and review of safety requirements for the 

NASA/DOE/DOD joint Space Exploration Initiative (SEI) program; review of 
construction and operational aspects of numerous U.S. nuclear power generation 
plants, including extensive experience at Perry Nuclear Power Plant; member of 
hydrostatic testing team for the H.B. Robinson nuclear power plant; and 
development of safety and quality assurance training programs for numerous 
nuclear power plants managed by the Yankee Atomic Electric Company. 

Mr. John W. Rice 

Mr. Rice is currently the Nuclear Safety Support Program Specialist at 
Idaho National Engineering Laboratory. Mr. Rice received his M.S. in Nuclear 
Engineering from the Air Force Institute of Technology in 1975. During his 
Air Force career he was Nuclear Weapon Safety Officer at the Air Force 
Weapons Laboratory, Nuclear Weapon Safety Officer at HQ Strategic Air 



NSPWG Report 


Command, and Space Nuclear Safety Officer at the Air Force’s Inspection and 
Safety Center’s Directorate of Nuclear Surety (AFISC/SN). While at AFISC/SN, 
he was also responsible for nuclear safety approval for Air Force launches of 
minor radioactive sources and Executive Secretary for the Interagency Nuclear 
Safety Review Panel for NASA’s Galileo space mission. More recently, Mr. 
Rice was the Nuclear Safety Program Specialist at INEL for the Multimegawatt 
Space Reactor Project Integration Support Office. 

Mr. J. Charles Sawyer. Jr, 

Mr. Sawyer is presently assigned to the NASA Headquarters Safety 
Division in the Office of Safety and Mission Quality (Code Q) as the NASA 
Headquarters Level I Safety Manager for the Space Station Freedom Program, 
for the Space Exploration Initiatives and for the Nuclear Propulsion Program. 
Previously he was the Level I Payload Safety Manager, dealing with the payload 
safety aspects of payloads such as Galileo, Ulysses, Hubble Space Telescope, 
Telemetery Date Relay Satellite, and Magellan. In previous assignments Mr. 
Sawyer was the Director of Range Safety at the USAF Armament Division at 
Eglin Air Force Base, Florida where he was responsible for the development of 
range safety policies and criteria for approximately 600 test and evaluation 
programs, which included the US Navy Tomahawk, the US Army Hellfire, the 
USAF Advanced Medium Range Air to Air Missile (AMRAAM), the AGM- 
13C, and several types of laser- and television-guided bombs. Prior to 
accepting the position as Director of Range Safety, Mr. Sawyer was a Range 
Safety Analyst at the Armament Division and at the Pacific Missile Test Center 
at Point Mugu, CA, where he developed range safety criteria for many of the 
early tactical and strategic weapons systems, scientific sounding rockets and 
participated in several of the Nuclear Readiness-to-Test Exercises at Johnston 
Atoll as a member of Joint Test Force 8. Mr. Sawyer holds a B.S. in 
Mechanical Engineering (aerospace option) from the University of California, 
Berkeley, and a M.S. in Systems Management from the University of Southern 
California. He is a graduate of the USAF Air War College. 

Lt Col Joseph A. Sholtis. Jr. 

Lt Col Joseph A. Sholtis, Jr., is Chief of the Analysis and Evaluation 
Branch, Nuclear Power and Sources Division, Directorate of Nuclear Surety, Air 
Force Safety Agency, Kirtland AFB, New Mexico, overseeing Air Force 
terrestrial and U. S. aerospace nuclear power projects from a safety standpoint. 
From March 1984 to August 1987, while assigned to Air Force Element, U.S. 
Department of Energy, Lt Col Sholtis served as the Program Manger of the 
joint DOD/DOE/NASA SP-100 Space Reactor Power System Development 
Program. From August 1980 to March 1984, he served as Chief, Radiation 
Sources Division and Reactor Facility Director at the Armed Forces 
Radiobiology Research Institute in Bethesda, Maryland. He has supported 
Interagency Nuclear Safety Review Panel (INSRP) evaluations of the Viking, 
LES 8/9, and Voyager missions employing Radioisotope Thermoelectric 
Generators (RTGs), chaired the INSRP Power System Subpanel for the RTG- 
powered Galileo and Ulysses space missions, served as the DOD INSRP 
Coordinator for the Ulysses mission, and served as a technical expert on the 
United Nations Working Group on Nuclear Power Sources in Outer Space. He 
has also followed development of the Soviet Romashka and Topaz space 



NSPWG Report 


reactors. He holds a B.S. from the Pennsylvania State University and an M.S. 
from the University of New Mexico in Nuclear Engineering. He is a member 
of the faculty of the Uniformed Services University of Health Sciences and has 
authored/co-authored one textbook, one handbook, and more than sixty 
technical publications. 


B-5 



REPORT DOCUMENTATION PAGE 


Form Approved 
OMB No. 0704-0168 


Public reporting burden for this collection of information is estimated to average 1 hour per response, Induding the time for reviewing Instrudion^searching 
qatherinq and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other _asp©ct of this 
collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Dj r ^orate for lnf^atior^p^tior^ an^eports , 2 5 Je 
Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188). Washington, DC 20503. 


1. AGENCY USE ONLY (Leave blank) 


4. TITLE AND SUBTITLE 


2. REPORT DATE 


April 1993 


REPORT TYPE AND DATES COVERED 

Technical Memorandum 


5. FUNDING NUMBERS 


Nuclear Safety Policy Working Group Recommendations on Nuclear Propulsion 
Safety for the Space Exploration Initiative 


6. AUTHOR(S) 

Albert C. Marshall, James H. Lee, William H. McCulloch, J. Charles Sawyer, Jr., 
Robert A. Bari, Hatice S. Cullingford, Alva C Hardy, George E Niederauer, 

Kerry Remp, John W. Rice, Joseph A. Sholtis, and Neil W. Brown 


7. PERFORMING ORGANIZATION NAME(S) AND ADDRESSEES) 

National Aeronautics and Space Administration 
Lewis Research Center 
Cleveland, Ohio 44135-3191 


WU-593-71 


8. PERFORMING ORGANIZATION 
REPORT NUMBER 


E-7782 


9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 

National Aeronautics and Space Administration 
Washington, D.C. 20546-0001 


10. SPONSORING/MONITORING 
AGENCY REPORT NUMBER 


NASA TM- 105705 


' Albeit C. MarehaMamX H.^cc. and William H. McCulloch, Sandia National Laboratories, P.O. Box 51100, Albuquerque, New Mexico 87185; J. Charles Sawyer, Jr., NASA Headquarters, Code OS, 
Washington, D.C. 20546; Robert A. Bari, Brookhavcn National Laboratory, Building I97C, Upton, New York 1 1973; Haticc S. Cullingford and Alva C. Hardy, NASA Johnson Space Center, Houston, 
Texas 77058- George F Niederauer, Los Alamos National Laboratory, Los Alamos, New Mexico 87545; Kerry Remp, NASA Lewis Research Center; John W, Rice, Idaho National Engineering 
Laboratory, Idaho Falls, Idaho 83415; Joseph A. Sholtis, Kirtland Air Force Base, AFS A/SEN R, Kirtiand AFB, New Mexico 87117-5000; and Neil W. Brown, General Electric, 6835 Via Del Oro. San 
Jose, California 95119-1315. Responsible person, John S. Clark, (216) 891-2174. 

12a. DISTRIBUTION/AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE 

Unclassified - Unlimited 
Subject Categories 16 and 20 

13. ABSTRACT (Maximum 200 words) 

An interagency Nuclear Safety Working Group (NSPWG) was chartered to recommend nuclear safety policy, require- 
ments, and guidelines for the Space Exploration Initiative (SEI) nuclear propulsion program. These recommendations, 
which are contained in this report, should facilitate the implementation of mission planning and conceptual design 
studies. The NSPWG has recommended a top-level policy to provide the guiding principles for the development and 
implementation of the SEI nuclear propulsion safety program. In addition, the NSPWG has reviewed safety issues for 
nuclear propulsion and recommended top-level safety requirements and guidelines to address these issues. These 
recommendations should be useful for the development of the program’s top-level requirements for safety functions 
(referred to as Safety Functional Requirements). The safety requirements and guidelines address the following topics: 
reactor start-up, inadvertent criticality, radiological release and exposure, disposal, entry, safeguards, risk/rel lability, 
operational safety, ground testing, and other considerations. 


14. SUBJECT TERMS 


Nuclear propulsion; Safety; SEI nuclear rockets; NTP; NEP 


15. NUMBER OF PAGES 

75 


16. PRICE CODE 

A04 


17. SECURITY CLASSIFICATION il8. SECURITY CLASSIFICATION 19. SECURITY CLASSIFICATION 20. LIMITATION OF ABSTRACT 

OF REPORT OF THIS PAGE OF ABSTRACT 

Unclassified Unclassified Unclassified _ 

Lew m 9«n «nn " Standard Form 298 (Rev. 2-89) 

NSN 7540-01 -280-5500 Prescribed by ANSI Std. Z39-1B 





